Bug bounty platform vendor Bugcrowd announced on March 1 that it raised $26 million in a Series C round of funding. The company will use the funding to grow its go to market efforts and expand what its crowdsourced bug bounty platform is able to do for organizations.
The new funding round was led by Triangle Peak Partners and brings Bugcrowd’s total funding to $50 million. The company’s last funding round occurred in April 2016, when it raised $15 million.
“There has been a lot of validation for the whole bug bounty industry over the last year,” Casey Ellis, founder and CTO of Bugcrowd, told eWEEK. “We’re looking to capitalize on that and expand the good word of bug bounties to the broader market and not just tech companies.”
With a bug bounty program, security researchers are rewarded for responsibly and privately reporting security flaws in software. In its 2017 State of the Bug Bounty report, Bugcrowd reported that the average bug report earns researchers $451 across all industries. Automotive clients had the highest average bug bounty payout at $1,514.
Ellis said bug bounties mean different things to different people. For some, it’s an opportunity to enable responsible disclosure of security flaws, while for others it’s about resources.
“For some people, they see bug bounty programs as a way to get access to more human creativity, as a model for resource arbitrage,” he said.
Ellis started Bugcrowd in 2012, after spending time working in the penetration testing space and realizing that there was a better way to bring talent to bear on security issues. At its core, Bugcrowd provides companies with access to a pool of talented security researchers, according to Ellis. While helping with vulnerability disclosures is a good starting point, there are other areas where the crowd can be deployed to help organizations, he said.
“I didn’t start Bugcrowd because I thought bug bounties were cool,” Ellis said. “For me, bug bounties were the catalyst to help change the way that people think about how they find resources for problems.”
Compliance
One area where Ellis is looking to apply Bugcrowd’s resources is helping organizations with different compliance initiatives, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).
Over the past year, Bugcrowd has worked with its clients and compliance auditors to figure out how to enable the crowdsourced model for compliance requirements, he said. Bugcrowd now has programs for clients that include process elements as well a report that goes to an auditor that can help organizations with multiple compliance objectives, including PCI DSS.
“The challenge is how to take a concept that is inherently chaotic, [take] a crowd of people and [apply] it to a problem, and then create a product that has the right structure to meet an auditor’s requirements,” Ellis said. “We’ve actually done that now.”
Bug Bounties
Bugcrowd competes with multiple vendors that provide managed third-party bug bounty platforms. Among them is HackerOne, which raised $40 million in a Series C round of funding in February 2017, and Synack, which raised $21 million in April 2017 in its Series C round of funding.
Ellis said there is a lot of opportunity in the bug bounty market overall.
“It’s not a winner-take-all market, but we want to take as much of it as we can,” Ellis said. “How we differentiate with others is being proactive about what the customers, including both the hackers and the program owners, need.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.