Crowdsourced Security
The ultimate guide to proactive cybersecurity best practices
This article provides an overview of the modern security landscape, current challenges associated with cybersecurity, and crowdsourced security.
For most organizations, cybersecurity has moved from a technical concern to being a central part of their operational strategies. An increase in the share of the global population with internet access has resulted in an increase in the number of points of attack. However, this has also meant an increase in the talent available to draw from for the establishment of the blue team—security experts focused on protecting organizations from attacks. To make the most of diverse talent, organizations need to align their security practices to draw from a global talent pool and position themselves as partners and allies of the broader security community.
What is crowdsourced security?
Crowdsourced security is an approach to securing digital assets that draws from the collective skill and experience of the world’s community of security researchers, or ethical hackers. These highly capable individuals are given the direction, scope, and incentives they need to identify and report vulnerabilities, effectively simulating the varied techniques employed by threat actors.
Crowdsourced security relies on the wisdom of the crowd, a phenomenon in which large groups of people are collectively smarter than individual experts. Provided the sample size is large and diverse and each member of the crowd is acting independently, a group can make discoveries and identify opportunities more effectively than even the most capable and expert individuals. In nature, this phenomenon is reflected in herds of animals that are more effective at finding food and shelter than, say, the lone wolf, and in security, this means that crowds of hackers can identify and resolve security bugs faster than over-burdened internal teams and dynamic attackers.
Casey Ellis recognized the potential of this collective wisdom and harnessed it by founding Bugcrowd, the world’s first crowdsourced security platform, in 2012. Bugcrowd was built on the strong spirit of collaboration that is in the DNA of the hacking community, as identified by collaborative software legends like Linus Torvalds in his prologue to The Hacker Ethic. Just as Torvalds tapped into the open-source community to build a sophisticated operating system from the bottom up, Bugcrowd was founded to draw from the distributed intelligence of security experts to create a new and compelling security offering.
Ellis started a movement that has grown massively, providing organizations with access to the world’s best security minds to quickly identify and rectify security challenges. The sector also offers financial opportunities to people in exchange for nothing more than their creativity and knowledge, making it the purest form of meritocracy in the digital world.
What is ethical hacking?
When discussing cybersecurity, one of the first terms that will come up is “hacking” or “hackers,” so it’s worth taking the time to define what hacking is. The Oxford definition of hacking is “the gaining of unauthorized access to data in a system or computer,” which sounds quite criminal. The implication that hacking is illicit and unauthorized persists across definitions, with even cybersecurity company Kaspersky conceding that while it is not always malicious, “the term has mostly negative connotations due to its association with cybercrime.”
Merriam-Webster defines a hacker as “an expert at programming and solving problems with a computer.” While attackers may lean into this definition, Bugcrowd is part of the movement to reclaim the word and reframe it in morally neutral terms. Hacking is not inherently bad, which is why Bugcrowd believes that a modifier is needed when discussing the motives and methods of hacking.
Security experts can be ethically motivated and use their skills to increase security standards (white hats), or they can have criminal intentions and use their skills to break the law (black hats). The terms “white hat” and “black hat” come from Westerns created a century ago, when directors used wardrobe choices to clearly indicate who the heroes and villains were. In a lawless place like the Wild West, those with the cutting-edge security skills of the time could use their abilities to rob banks and saloons or to support the local sheriff in fighting crime, and a similar choice faces security experts in today’s digital world.
White hat hackers can also be referred to as ethical hackers, security researchers, or just hackers. At Bugcrowd, our report Inside the Mind of a Hacker shows that 96% of hackers believe that they help companies fill their cybersecurity skills gap, so when we use the term “hacker,” we are talking about the good guys.
Hacker community collaboration
Crowdsourced security leans into community and collaboration, which is why hacker-powered security can be so powerful. Working with a crowdsourced platform like Bugcrowd gives organizations access to the widest pool of talent and allows them to broker interactions with hackers and triage responses so that buyers only have to pay for results.
Thus, Bugcrowd acts as an agent for hacker talent, a consultant for companies looking to invest in their security, an auditor who vets the particular talent they require, a broker between organizations and the security community, and a clearing house for each transaction to ensure that bugs get squashed and hackers get paid—with everything implemented in a SaaS platform for scale, efficiency, and ROI visibility.
In terms of the types of collaboration on bug bounty programs, organizations can opt for public programs that are open to everyone on the platform, a middle tier that involves those with experience on the platform who have had their identity verified by Bugcrowd, or private programs open to specially selected hackers who have been fully vetted. While opening programs up to the wider Crowd can seem daunting, it’s worth bearing in mind that many companies’ assets are open to the full universe of threat actors 24/7, and anyone who has worked at a security operations center will testify to the level of scanning that ports and apps receive nonstop.
To find the crowdsourced security solutions that are right for you, remember to look for platforms with good working relationships with the hacking community, as well as third-party platforms that have the relationships and the experience to apply their skills to your security challenges.
What are common crowdsourced cybersecurity solutions?
Crowdsourced security solutions are just like any other security solution in the sense that they dynamically change according to the needs of the industry. At present, the three most popular solutions that draw from distributed security talent are vulnerability disclosure programs (VDPs), bug bounty programs, and penetration testing/pen testing as a service (PTaaS).
What is a vulnerability disclosure program (VDP)?
A VDP is a structured framework that allows and invites hackers to submit vulnerabilities they discover in an organization’s digital infrastructure to the organization directly. These programs offer clear guidance on how hackers can bring vulnerabilities to the attention of an organization, and if done correctly, organizations will disclose these vulnerabilities to give credit to the hackers who took the time to help them.
Ignorance can be bliss for individuals, but it is a disaster for organizations aspiring to stay at the cutting edge of contemporary security. VDPs represent a first step toward tapping into crowdsourced security and building a relationship with the security community by acknowledging vulnerabilities that arise, remediating them quickly, and working with the hackers who found them to ensure responsible disclosure.
Bugs discovered as part of private bounty programs need to be triaged and resolved quickly and effectively, but they are not necessarily publicly acknowledged. While prestige and status are important to hackers, they understand when working on private programs that they are rewarded financially and are expected to protect clients’ confidentiality.
When vulnerabilities are discovered and shared by a good Samaritan through a VDP, disclosure becomes more important. Companies that ignore submissions, dismiss legitimate concerns, or threaten legal action soon run out of friends in the security community, which in turn erodes their security posture. In contrast, having an open and generous policy that rewards submissions from the community, even if such a reward is no more than a public acknowledgement, can keep the important constituency of hackers on an organization’s side. Protecting their rights means providing clear communication that includes legal protection for hackers through safe harbor.
Responsible disclosure
Responsible disclosure refers to the best-practice interaction between a hacker submitting a vulnerability report and the company receiving it. For hackers, this means disclosing vulnerabilities to the affected organization in a responsible manner, allowing them time to fix the issue before making it public. For organizations, this means quickly acknowledging the submission and expressing recognition while maintaining communication with the hacker in question so that they can publicly take credit once the issue has been remediated.
Responsible disclosure is part monitoring, part hacker relations, and part building a culture of humility that intersects with high standards of security. If done correctly, responsible disclosure can create a flywheel of hacker community collaboration based on mutual respect.
What is a bug bounty program?
Bug bounty programs are result-focused security initiatives that incentivize hackers to uncover and report security vulnerabilities within an organization’s digital infrastructure. Bug bounties are attached to a financial reward based on the criticality of the vulnerabilities identified and remediated and are the original and most widely used crowdsourced cybersecurity solution. They can ensure the rapid evaluation and remediation of novel threats, such as when new zero-day vulnerabilities emerge.
The first bug bounty program was run for Netscape Navigator back in 1995, but it wasn’t until 2012 that the service was offered by a third-party platform with the founding of Bugcrowd.
These programs provide hackers with access to digital assets and infrastructure that allows them to test their security and find vulnerabilities, offering prorated cash rewards based on the severity of the new bugs discovered. Such programs can be managed internally, with organizations’ employees responsible for reviewing and prioritizing submissions while engaging with hackers. Alternatively, they can be conducted in collaboration with a trusted partner such as Bugcrowd.
Companies turn to bug bounty programs to supplement and strengthen their existing internal security processes. The crowdsourcing model allows for a wider pool of talent and diverse skill sets to be leveraged, often leading to the discovery of more critical vulnerabilities that may otherwise have gone unnoticed. By engaging hackers, companies can proactively find and fix issues before they can be exploited by malicious actors.
What is penetration testing?
Pen tests are security tests in which security testers mimic real-world attacks to identify methods of circumventing the security features of an application, system, or network that are failing to protect vital assets. Pen testers operate as a team, working within a defined scope for a set time period and completing each engagement by offering a report of the vulnerabilities detected.
Crowdsourced pen tests are a new take on a longstanding security service, offering dynamic new functionalities that make the most of talent accessed and findings integrated to advance software development. They can provide targeted and detailed assessments of digital assets and infrastructure quickly and efficiently while meeting regulatory compliance needs, just as traditional pen testing does.
Pen testing has a long history dating back to the 1990s, arguably evolving from the “tiger teams” that tested spacecraft in the 1960s. But it’s only in the last five years that crowdsourced security has unlocked the full potential of pen testing, with the most recent innovation being PTaaS. PTaaS modernized the pen testing experience, bringing scale and efficiency to what is traditionally a manual, consulting-heavy offering.
Crowdsourced threat detection
Security services were traditionally provided in a manner similar to any other service; buyers would hire a professional based on their reputation, agree to a fee based on the going rate, and hope that the professional would get the job done. Companies might have security testers on staff to evaluate products and infrastructure as they would janitors to keep a building tidy, or they might hire pen testers for a software project like they would hire a plumber to fix a leak. Where the analogy breaks down is that dust and water do not behave like intelligent third parties, and facilities and pipes are not complex environments that are rapidly changing daily.
Vulnerabilities are weaknesses in IT systems or software that can be exploited by attackers. With digital systems and environments changing on an almost hourly basis, new vulnerabilities are a fact of life and will always grow with us.
To address vulnerabilities, crowdsourced threat detection is a subset of crowdsourced cybersecurity that taps into the wisdom of the crowd to identify novel threats in close to real time. To paraphrase the crowdsourced security commandment Linus’s Law, with enough eyeballs, all emergent threats are definable. Investing in bounty programs and crowdsourced pen tests taps into community intelligence, and the diversity and breadth of experience in this community can reveal new risk vectors and remediate threats as they emerge.
Furthermore, crowdsourced programs will often incentivize creativity pivotal to innovation and the cutting edge by offering greater financial rewards for emergent and critical vulnerabilities. This creates a marketplace for quick responses that allows buyers to shield themselves against new threats based on the power of community intelligence.
How does crowdsourced security work?
The lifecycle of a crowdsourced security program varies according to the needs of each buyer. If you plan to gradually upgrade your security mix, you are most likely to start by implementing a VDP. This is a framework that allows hackers to voluntarily and altruistically submit bugs that they uncover in a company’s infrastructure and products. For some organizations, limiting testing to a single asset (e.g., a website or mobile app) is a good way to get started to ensure remediation processes are in place.
As companies become confident in their ability to review submissions, resolve vulnerabilities, and reward hackers by disclosing their inputs, they should consider adding tangible rewards by implementing their first bug bounty program.
A bug bounty program adds economic incentives to the VDP concept. These can be run in-house with employees reviewing and triaging submissions, as well as engaging with hackers, or they can be run with a partner like Bugcrowd. Buyers have the option to make their programs public and benefit from the wisdom of all the world’s hackers or to work privately with a handpicked group to allow for more vetting, targeted skill matching, and geographic selection.
Companies pay rewards based on the impact of vulnerabilities, meaning that with investment over time, bug bounty programs will surface more critical vulnerabilities. This dynamic pricing scheme allows buyers to ensure that the most harmful exploits are discovered first and allocate their budgets effectively to protect high-value assets. These data can also be used to identify the most frequently targeted assets and to direct additional resources to prioritize security investments.
Once a company has identified its most valuable assets—the “crown jewels”—the CISO will typically look to invest in maximizing their security. An effective way to rigorously test and evaluate security posture is by using pen tests. While historically delivered as standalone projects by small teams, crowdsourcing enables scale and access to skill sets that are key enablers of vision of PTaaS.
These crowdsourced pen tests can launch quickly, provide real-time reporting, and be integrated into the security development lifecycle (SDLC). They offer a bigger bench of testers to choose from, including deep-sector experts and those with security clearance.
Over time, buyers have generally increased their investment in crowdsourced security as part of their overall security mix. Investing in bug bounty programs means paying for results, and dynamic pricing gives valuable data to CISOs about what their budget should be and how they should allocate it. Crowdsourced security is a valuable way to support and enhance existing security measures.
Types of organizations that use crowdsourced security
There is a misconception that only tech companies leverage crowdsourced security. However, our data show that this isn’t accurate. While crowdsourced security is heavily used in the tech space, organizations from a wide variety of industries use the Bugcrowd Platform. Here are some examples of industries using crowdsourced security in 2023:
Aerospace and defense | Consumer services | Insurance |
Automotive | Corporate services> | Leisure |
Banking | Electronics | Sports and recreation |
Chemicals | Energy and environmental | Media |
Civic/Non-profit | FinServ | Pharma and biotech |
Computer hardware | Food and beverage | Real estate |
Computer software | Government | Retail, Schools and Education |
Construction | Holding companies Healthcare | Telecommunications |
Consumer product Manufacturing | Industrial manufacturing | Transportation |
Examples of Companies Leveraging Crowdsourced Security
ExpressVPN
ExpressVPN, a leader in privacy and security, works with Bugcrowd because it offers an unparalleled ability to match an exceptional team of skilled hackers to ExpressVPN’s highly technical needs. Bugcrowd enables ExpressVPN’s mission to embed privacy in users’ internet experiences through its bug bounty program, which protects the company’s reputation for having excellent security among hackers and users.
Rapyd
This UK fintech firm chose Bugcrowd because of its ability to rapidly scale security programs during a time of major acquisitions. Bugcrowd used CrowdMatch technology to provide Rapyd with access to hackers with fintech expertise. Within a year, these hackers surfaced 40 vulnerabilities, 15 of them deemed critical.
T-Mobile
This US telecom giant engaged Bugcrowd to manage a public bug bounty program for testing its applications and websites. Hackers’ vulnerability submissions and remediation efforts have helped to keep the country’s largest 5G network safe.
What are the benefits of crowdsourced security?
Crowdsourced security offers companies more expert eyes in reviewing infrastructure in greater detail than is possible for an internal team or a select group of consultants. Tapping into the wisdom of the crowd helps to address security challenges and even flag issues and solutions that companies are unaware of, providing novel and actionable advice that cuts to the core of a company’s security posture.
On top of engaging more talent to aid in securing a company, tapping into the world’s hacker expertise ensures security support around the clock. Threats and malicious actors are geographically dispersed and do not operate during work hours for a given market, but using crowdsourced security reverses this advantage, as global talent can provide continuous coverage of assets.
Security professionals often struggle to justify budgets to non-technical colleagues, and the ROI in security tools and talent isn’t always easy to communicate. However, working with hackers in bug bounties means that buyers only pay for results rather than investing in products and services in advance and hoping that they live up to the billing of a smooth-talking sales team. By providing a liquid market for vulnerabilities, bug bounty programs provide a clear indication of each buyer’s security posture and priorities relative to their budgets.
Beyond the immediate security advantages of crowdsourced security, it also affords companies the opportunity to build strong relationships with the global hacker community. By engaging with these professionals, companies not only benefit from their expertise but also demonstrate a dedication to proactively addressing security concerns. This relationship fosters trust, enhances a company’s reputation, and sends a clear message to customers about the importance companies place in safeguarding their data. This can elevate the status of a company’s CISO and internal team and help with hiring or thought leadership in this space, thereby improving the overall security brand.
Risks associated with crowdsourced security
Hacker-powered security has not been around for long, so there are still some teething problems when it comes to its effective implementation. One risk when implementing a VDP for the first time is failing to clearly indicate legal liabilities and to reassure hackers that there will be no consequences to their security testing. By failing to resolve this legal ambiguity, companies may inadvertently create issues for the hackers who are trying to help them, as well as reduce the number of people willing to submit vulnerabilities.
Another risk that can reduce the effectiveness of VDPs is the failure to engage effectively with the cybersecurity community, particularly around disclosure. Companies that commit to implementing a VDP need to proactively monitor submissions and be responsive and respectful to those who put in the effort to submit a bug. Junior hackers, in particular, are often willing to contribute their time and skills to finding vulnerabilities free of charge. In exchange, they will look to have their hard work publicly recognized by the company that receives their submissions. Failing to offer and engage in clear disclosure can lead to strained relationships with the hacker community.
Getting scope right also presents a risk to buyers of crowdsourced security. For smaller companies starting out, this could mean implementing a VDP that covers every asset despite having limited internal resources. Failing to provide crowdsourced security programs with the appropriate internal resources can cause internal burnout while leading to frustration on the part of hackers, which can harm a company’s reputation in the community.
This same issue applies to mature companies operating on a larger scale. For example, CISOs need to be strategic when buying crowdsourced security by identifying where they can get the highest ROI for their budget before investing heavily in bug bounties. Pen tests and bug bounty programs are effective ways to protect crown jewel assets, but making the scope too broad can cause companies to boil the ocean, soliciting submissions from across a wide range of assets and infrastructure without resolving threats to the primary attack vectors.
There is also a risk that companies do not have the internal capacity to engage with hackers effectively. If the scope for bug bounties or pen tests is too wide, then a small team may find the number of inbound submissions and the need to triage and remediate overwhelming.
Finally, there is a risk that users will opt for the wrong solution when buying crowdsourced security. Companies looking to secure crown jewel assets in the technical industry may find that a VDP does not go far enough and should instead opt for a crowdsourced pen test.
All of these risks are manageable. Companies launching VDPs that are unsure of scope, liability, and disclosure can look to open-source templates, and savvy CISOs can quickly learn to invest strategically in their top assets and get the balance right between internal capacity and crowdsourced support. Understanding hackers’ strengths and capabilities and the benefits of working with them in advance significantly helps with this process.
Security challenges that crowdsourced security addresses
Crowdsourced security provides a fresh perspective on a company’s vulnerabilities and security challenges, drawing from the wisdom of the crowd to identify threats that might have been missed by employees used to viewing assets in a certain light. By involving a diverse range of experts, hacker-powered security can provide rapid feedback that helps gauge the overall strength of an organization or an asset’s security posture.
Security rewards programs also scale quickly and efficiently, allowing organizations to invest rapidly based on the urgency of a given problem or the criticality of an asset being tested. The ability to see high-quality results quickly sets crowdsourced security apart from other tools and services and makes it invaluable in providing discrete responses, whether ahead of product launches or in response to board-level concerns.
This same flexibility makes crowdsourced cybersecurity solutions particularly valuable when dealing with new and novel threats. If we look back at the historic Log4J vulnerability discovered on December 9, 2021, we see that activity on Bugcrowd’s platform spiked on the day of the announcement, peaking with nearly 300 submissions just two days later. Most of the P1s (the most critical vulnerability submissions) were handled in under three hours, a rate of production that no internal team could possibly manage. Identifying and neutralizing threats so soon after they emerge is a central strength of hacker-powered security.
Security testing platforms
What is a platform?
There are many definitions of a software platform, from theoretical to technical. Platforms are software mechanisms offered by technology companies that can be supplemented and enhanced by third parties. Bill Gates crucially added that a platform is when the economic value of everybody who uses it exceeds the value of the company that created it; therefore, security platforms should increase the security postures of buyers and remunerate hackers by a multiple of the value captured by the platform owner. Furthermore, they should provide a marketplace for buyers of crowdsourced solutions and a unified workspace for hackers that radically enhances the user experience relative to what companies can build themselves.
Traditional security tends to be an ad hoc administrative arrangement that is heavy on consultant hours. Platforms provide core services, such as bug bounty programs, PTaaS, vulnerability disclosure, and attack surface management. This suite of offerings brings efficiency at scale, consistency, and contextual intelligence to crowdsourced security.
The Bugcrowd Platform is an AI-powered, multi-solution platform built on the industry’s richest repository of vulnerabilities, assets, and hacker profiles curated over a decade. This allows us to find the perfect hacker talent for goals like pen testing, bug bounty, and vulnerability intake and disclosure, as well as to ensure the scalability and adaptability that come with a functional talent platform.
What to look for in a crowdsourced security platform
Crowdsourced security platforms live and die by the number and quality of hackers that they can draw from, but attracting and retaining this talent means offering a seamless technical solution that rewards and respects this talent while offering the best possible customer experience.
Hackers want to know that their submissions will be validated and triaged quickly so that they are rewarded for their hard work, particularly when handling new and novel vulnerabilities where time is a factor. Some platforms will use third parties to handle submissions, but remediating bugs effectively means validating and triaging them quickly on the platform side, with critical ones handled within hours.
Buyers also want the process to be smooth and efficient, ideally to integrate the platform’s outputs into DevSec tools that they use in their technology stack. This helps to ensure that remediation is done as early as possible in the development cycle, building a culture of continuously testing apps and APIs before they ship. Platforms that provide dashboard reports offering insights on severity, payments, bug types, and trends in discovery also help CISOs determine ROI and the value of a program.
Separating signal from noise is a top priority for security teams dealing with third parties, especially where automated tools are involved. Scanners are notoriously noisy and are becoming more prominent in today’s AI-driven world, so separating signal from noise on the submission front takes time and expertise.
Therefore, the top platforms are those that proactively address noise and provide a high signal-to-noise ratio. Higher submission numbers shouldn’t create spikes in false positives that suck up company resources, and good platforms should reduce the internal team’s workload rather than increase it.
About the Bugcrowd Platform
The Bugcrowd Platform brings the right crowd into your security workflows at the right time, allowing you to run bug bounties, pen tests, VDPs, and more at scale and in an integrated, coordinated way. Bugcrowd uses proprietary CrowdMatch AI to match qualified, trusted hackers to your individual security needs, as well as rich reports and analytics to offer continuous insights about trends in findings, payments, criticality, and more.
By seamlessly integrating with your SDLC, the Bugcrowd Platform resolves issues from the ground up so that you see results instantly. A team of global security engineers works as an extension to the platform, validating and triaging submissions so that the most critical vulnerabilities can be resolved within hours.
After over a decade spent at the forefront of crowdsourced cybersecurity crafting solutions for thousands of customers, Bugcrowd brings an extensive repository of data to discovery and remediation, as well as intangible knowledge around the mindset and attitudes of the world’s security community.
Learn more about crowdsourced security
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.