An Open Letter for Costanoa Ventures Access Fellowship

Giving away the ideas for a future applicant

This week I was talking at Twitter with the Costanoa Ventures crew about a very interesting application they do every year.

The position is called Access Fellowship, and you can read more about it here at Medium:

Greg Sands, the founder and Managing Partner at Costanoa Ventures wrote in the post:

On a personal level, the inspiration for this is my maternal grandmother, Clarice Mattson, the first in a long line of strong women in my life. She was a bright inquisitive kid, the first in her family to leave the farm in rural Minnesota to seek a college education at the University of Minnesota. In the 1950s, she raised four children on her own. She ran the sports program at the local recreation center including a large dose of speed skating before she went back to graduate school and got her degree in social work. She grinded. Sometimes she suffered under the weight of it all. But she never stopped trying and doing her best.
We’re looking for people like Clarice — someone with drive, determination, and intelligence to spare.
Because we focus on companies that change the way the world does business, we want someone who has a couple of years of business experience, likely between years at business school but an engineering or computer science student is also welcome. Demonstrated love of technology and/or entrepreneurship is a must but a technical degree isn’t. Exceptional professionalism, execution and comfort using excel and other analytical tools are necessary. Achievement in your chosen fields, demonstrated ability to take on outsized challenges and rise to the occasion, initiative and leadership will be central to our process.
We look forward to getting to know more of the next generation’s rising stars and creating access to a new path for wherever your journey leads you…

The first reaction I got was to apply for the position. Why? It’s nothing related to money, fame or recognition: It’s about the incredible learning experience that anyone could achieve with the position.

But after a while, thinking deeply about this; I realized that I couldn’t apply for it.

Due to U.S embargo laws, any company or organisation based in the U.S can’t hire Cuban professionals based in Cuba. That’s the reality that we are living today here, but this is not the main topic to discuss today.

So, I was talking with my business partner about the position and what I could do for it, and many ideas came to the discussion; and then he said:

It seems you love this stuff. Write about this, share the ideas with the world. Who knows. Maybe others could read this and you could help them to make a good impression and actually to implement some of them. Share them with the world

Thanks a lot, Rafa. Here we go. Let’s get creative.

The application

The Access Fellowship application is divided in 5 points:

1. Please provide your first and last name.
2. Please provide your email address and mobile phone number.
3. Please provide your LinkedIn URL.
4. Pick one of Costanoa’s portfolio companies. Assess the company in the following areas (max: total 750 words, submit PDF):
— Team
 — Product
 — Market
5. Submit a two minute video of yourself sharing what your favorite product is and why you love it.

I will concentrate in the point 4.

As a Security geek, my favorite companies in the portfolio are all related to Security solutions:

So, I will pick Bugcrowd here to develop Point # 4.

Fist, Who are Bugcrowd?

Bugcrowd is trusted by more of the Fortune 500 than any other crowdsourced security platform. Why? Because people need the increased security of a bug bounty without all the extra work and chaos. Bugcrowd cracked the code on crowdsourced security through rock solid program management, relationships that work, and relentless innovation. That’s how our public, private, and on-demand bug bounties find seven times as many critical vulnerabilities as traditional testing. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Bugcrowd. Outhack Them AllTM. Learn more at www.bugcrowd.com.

Bugcrowd has developed Bug Bounty programs for several well known companies:

Team

The team behind Bugcrowd has several decades of experience developing Enterprise Security Solutions. Casey Ellis (CTO), who is the founder of the company has a vast experience in the Bug Bounty programs, but he was smart enough to take the company to the other level bringing top executives like Ashish Gupta to take the CEO´s role, Rick Beattie as VP of Sales and Jonathan Gohstand as VP of Product Management on February 15th, 2018.

Now, on March 1st, 2018, they announced a new financing of $26 Million in a Series C round to grow exponentially the Bugcrowd´s crew and have better weapons to help more Enterprise clients to “Outhack Hackers”.

About the new round, Ashish wrote:

We know that attack surfaces and the creativity of cyber attackers are growing faster than the availability of traditional defenders and capabilities of traditional tools — creating an asymmetric battle for organizations. Despite rapidly changing business needs, most organizations continue to use the same legacy tools and strategies to secure their digital assets. Nearly half (47%) of companies use traditional Web Application Security solutions that take a reactive approach, while 66% of organizations use Penetration testing, which doesn’t always provide the breadth and depth of latest security knowledge required to secure their organization’s products. Nearly 55% of companies report using web scanners as part of their standard toolkit, even though scanners are limited to what they’re programmed to find.
Despite all of this investment in security, we continue to see breaches increase in number and scale. At the same time, the resource constraints security teams face are growing. By 2020, there will be about 1.5 million unfilled cybersecurity positions. Organizations find themselves in a situation where they have to make compromises, for example, between efficiency and quality if they stay with the status quo.
At Bugcrowd, we help our customers move beyond the status quo. From the very beginning, we have been leading the charge in transforming the cybersecurity landscape. By combining the world’s most experienced team of security experts and the market’s only enterprise-grade crowdsourced security platform, Bugcrowd connects organizations to a global crowd of trusted security researchers to identify vulnerabilities — before adversaries do.

I strongly believe that this team (and all Bugcrowd´s employees) could lift the company to new levels. Like I said to my partner today:

If Bugcrowd would be a public company, we would invest on them.

Product

They have developed an incredible product here with the several programs inside the platform, but the real deal here is “The Crowd”. They have recruited more than 75k Security researchers around the globe to fill the gap on Security Engineering.

They are the real heroes here, and Bugcrowd has been smart enough to rewarding accordingly.

Market

The big number here? $4.5 Billion USD.

But, I strongly believe there is a bigger market there.

Just consider some of the words that Ashish shared in the post about the financing round:

Despite all of this investment in security, we continue to see breaches increase in number and scale. At the same time, the resource constraints security teams face are growing. By 2020, there will be about 1.5 million unfilled cybersecurity positions. Organizations find themselves in a situation where they have to make compromises, for example, between efficiency and quality if they stay with the status quo.

Could you imagine a better place to find Top Security Researchers for your organization? That´s why I think that Bugcrowd could capitalize on that and create a Job Board using “The Crowd” data. Read the Idea # 4 below later.

So, let´s discuss some ideas we believe that could take Bugcrowd to the next level.

The ideas

Idea # 1: Develop a powerful Referral Program for “The Crowd”

Inside “The Crowd”, there are more than 75,000 Security Researchers around the globe, but they could grow its audience implementing a new Referral Program.

Many of these Security researchers come together in hacking conferences, online forums and Security communities around the globe, so it could be very interesting to give them a reward for bringing new members to the platform.

The amount or the form of rewarding is up to you, but it could be very interesting to see this.

I let you here some recommended readings about Network effects:

Idea # 2: Work in a podcast/video series called “The Code Crackers” to extend Inside the Mind of a Hacker 2.0 series

There many experienced Security researchers that they known that there is a good side-job as part of “The Crowd”. So, Why not bring to more Security Researchers to share their stories in a videos series called “The Code Crackers”?

This is a mock name, Inside the Mind of a Hacker 2.0 works as well. :)

Idea # 3: Make a Survey to all Bugcrowd Enterprise Clients and Build a Shared Revenue Program with Potential Partners

If Bugcrowd has a bigger audience from Fortune 500, there are more Security problems to fight everyday.

The 2018 CISO Investment Blueprint provided a lot of information about the current worries of CISOs today, so why not use this data and market intelligence to work closely with more Security partners?

For example: with the news about the recent massive DDoS attacks of 1.3 Tbs to GitHub and the other of 1.7 Tbs discovered by Arbor Networks; it could be a great opportunity to ask to Bugcrowd clients about all these topics and guide them to great companies like Cloudflare, who has in place a very interesting Enterprise Referral program as well:

This could be another source of capital for Bugcrowd.

Idea # 4: Make a Jobs platform using data from “The Crowd”

I discussed this already, but I will write again about it. Just imagine to use “The Crowd” as a recruiting tool for Security Engineers and Researchers.

Just imagine if Etsy in its new Bug Bounty program defines a level of points to find the right candidate for a Security role for the company.

Just making a quick review of Etsy´s Careers page, there are several positions focused on Security, and if they could find in a shorter period of time (according to Lever, 45 days is the average time for a job application) better candidates for the company. It could an interesting opportunity to pursue.

Idea # 5 Work in a new video series called “CISOs at Work

CISOs at Work Video Series

The audience is eager to know what are the worries, tools, strategies executed by CISOs today. Why not convert this to a video series? It could be a terrific Marketing opportunity for Bugcrowd.

Format? I love the format from High Resolution Podcast:

Conclusions

The conclusions are simple here: Just use these ideas or this post to apply for the Access Fellowship at Costanoa Ventures, or write your own; I would love to read it as well.

And if you want a bigger role at Costanoa Ventures, they are hiring an Associate as well:

Or if you like what Bugcrowd is building, you must check it our its Careers page too:

My favorite positions there?

Thanks again for reading and good luck in the application.