Beyond Bug Bounties: Crowdsourced Security Testing Evolves

Governance , IT Risk Management

Bugcrowd’s David Baker on Targeted ‘Researcher Grants,’ Waning ‘Crowd Fear’

David Baker, CSO, Bugcrowd

Crowdsourced bug bounty programs help organizations identify severe flaws in their IT infrastructure, apps or other code. Now, that model is being used to help organizations perform more widespread security testing, including penetration testing as well as deep dives by single researchers, says Bugcrowd CSO David Baker.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

“Traditionally … you’ve had a large group of people sort of gamified – the first one to find a bug gets paid, and so that tends to work very well,” Baker says.

But as technology evolves and more web and mobile applications rely on APIs, more specialized types of technology review and testing need to be brought to bear, he says. That’s given rise to Bugcrowd’s more “gig economy” approach, called researcher grants. “We will give a certain researcher a certain aspect of that technology to look at and research,” Baker says, and then that researcher will produce a report with detailed findings that can also be used to also satisfy audit requirements.

In a video interview at the recent Infosecurity Europe conference, Baker discusses:

  • The state of the crowdsourced security testing market;
  • The evolution in trust as well as reward mechanisms;
  • The role of penetration testing.

Baker is CSO of Bugcrowd. He has more than 20 years of experience in enterprise data security, IT and government computer research.