Bugs you want to pay for
Casey Ellis talks about his move to CTO and what the future holds for the burgeoning Bugcrowd platform.
When I first started writing in cybersecurity almost three years ago, bug bounties were still this elusive thing that no one wanted to talk about. Since then, a lot has changed about the perception of bug bounty platforms, and the benefits of proactively working with researchers.
In August of 2015, I attended my very first DefCon in Las Vegas where I conducted face-to-face interviews for the first time in my journalism career. I was a n00b, and Casey Ellis, then CEO at Bugcrowd, gave me a bit of his time.
I’ve since loved watching the company grow, so it was exciting for me to learn about the executive level changes that have happened for Bugcrowd this fall. Of course, I had some questions for Ellis, and despite his hectic schedule, he again carved out some time for me.
KSZ: What most excites you (and/or makes your nervous) about this new position?
CE: Pioneering the bug bounty platform model, and growing Bugcrowd into a more than 100-person company serving a large and growing number of Fortune 50 companies has been one of the greatest accomplishments of my career.
However, with such a rapidly growing company I found myself spending an increasingly large amount of time focused solely on running the business and less on what I’m truly passionate about: Building and driving the vision. This was the main catalyst for launching the search.
As Chief Technology Officer, I’ll be able to dedicate more of my time to expanding the vision for Bugcrowd and for the crowdsourced security industry, and it’ll enable me to spend more time out there evangelizing the model.
Crowsourced security is the future. The amazing adoption we’ve seen indicates that the model holds the key to covering the Internet’s expanding attack surface and eliminating economic and resourcing asymmetries between attacker and defender — all while addressing the cybersecurity skills shortage.
KSZ: What is the “next level” you see for Bugcrowd?
CE: Vulnerability disclosure and bug bounty programs have grown at an incredible pace, but there are still literally millions of companies that haven’t engaged this model yet.
The next level of this is more of the same: increased adoption in more traditional industries like auto, finance and retail, a growing, engaged crowd, and a bigger team to power the model, managing programs from beginning to end.
I also see the market evolving, looking beyond the traditional (or untraditional as it were) bug bounty program, and using a crowdsourced model for access to human creativity as a way to stay ahead of the smarts of the adversary.
KSZ: What advice do you have for those who are interested in getting into security as a researcher?
Connect with the community, read and watch everything you can find, and never be afraid to ask “dumb questions”.
Bug hunting provides ample opportunities for education — you don’t need to be a professional to get started. Whether full-timers or hobbyist bug hunters, much of our crowd cite learning as a key driver for doing bug bounties and the majority have goals to submit more bugs.
In order to accomplish this, they are constantly honing their skills — and often sharing them.
Our LevelUp conference earlier this summer, the first virtual conference for hackers by hackers, provided more than 20 sessions filled with tutorials on hacking web, mobile, API, hardware, thick clients, and browsers.
LevelUp encompassed one of our main goals for the crowd: making Bugcrowd a home for researchers. Our platform was built to connect skilled security researchers and customers that need security testing, but it goes beyond that. We are providing more than an opportunity to make money, we are providing an opportunity to build skills.
Security is a constantly evolving area — bug bounties provide a way to learn, grow, and prove your skills… all while making money.