Three’s a crowd: Popular bug bounty companies are growing at an insane rate
Despite having three companies all led by ambitious executives competing for the same market share, the nascent bug bounty industry continues to grow at a rapid pace.
Bugcrowd, HackerOne and Synack are the biggest names in the business, a niche industry that effectively hires and sells the services of freelance hackers who are paid to find weaknesses in clients’ systems or products. All three firms boast platforms that privately funnel information about software and hardware bugs to their customers so that affected parties can fix software flaws.
Although each firm follows a slightly different model, they all compete to recruit the best vulnerability researchers and business deals. As the industry continues to gain momentum, it’s becoming more clear who’s winning and what’s working in the marketplace.
Over the last year, the three companies have each expanded in size and influence due to private investors betting big. Significant contracts with the Defense Department, General Services Administration, U.S. Air Force and Army, quickly popularized the disruptive industry, even though the premier brands are still in many ways developing their business strategies and identities.
The men leading these companies have lofty goals.
One to 1 million
“I want to get to 1,000,000 hackers [on our platform] … that’s really where I want us to be in the future,” said Mårten Mickos, HackerOne CEO, in reference to the company’s pool of contracted penetration testers. “We’ve hired about 40 [in-house, full-time employees] since the year started and are growing really fast. We’re at more than a 100 now … the theme this year has definitely been growth.”
In February, HackerOne raised $40 million from a group of prominent venture capitalists. Mickos said the company boasts roughly 120,000 registered accounts on its proprietary community platform, but only 10 percent of that group has participated in a bounty program. A total of about 5,500 users have received a payout for their work discovering bugs.
HackerOne’s open platform allows researchers to easily apply for and gain entry to a variety of bug bounty programs, which are paid for by HackerOne’s customers. HackerOne makes money by running programs and selling access subscriptions to clients who hope to connect with the security research community. It’s also possible for companies to register for a free, informal disclosure program through HackerOne’s website, where anyone can voluntarily share information about a vulnerability with the participating party.
Payouts for the firm’s contractors differs on the program they’re working on, type of vulnerability and client being served. HackerOne has conducted approximately 860 programs this year — not all were paid. The average bounty paid to hackers for a critical vulnerability was $1,923 in 2017, compared to $1,624 in 2015 — an increase of 16 percent. The top performing bug bounty programs pay hackers an average of $50,000 per month.
The company’s strength, Mickos described, comes from its diverse community of researchers, which it can tap into for different bug hunting programs. The approach is relatively hands off and inclusive; registration for users is open, the application for open jobs is simple, and an open review system helps qualify the expertise of individual hackers.
HackerOne runs both public and private programs, with the latter sometimes including a more exclusive and selective hiring process. Broadly speaking, this model comes with certain pros and cons. For example, HackerOne’s crowdsourcing model is meant to be open and welcoming from a researcher standpoint, but that structure can also occasionally scare off potential customers who store more sensitive data.
In the future, Mickos hopes to expand HackerOne’s client base by working with both large corporations and governmental agencies, who he predicts will become increasingly receptive to crowdsourced bug bounty programs. “This fear about bug bounty programs, it will change, I think people will realize that what we offer is safe … even the more sensitive customers will be more receptive [in the future].”
Structure is identity
Being able to serve a sensitive customer base, which already includes the Internal Revenue Service, is what sets Synack apart, according to company cofounder Mark Kuhr.
Synack was created by two former NSA analysts. The researcher community involved with the company began as an extension of Kuhr and co-founder Jay Kaplan’s personal network of contacts.
Synack admittedly has less researchers than HackerOne — Kuhr described it as “several hundred” — and it isn’t looking to greatly increase that number. “What makes us special is that we screen, interview and hold our researchers to a very high standard. We spend a lot of time trying to find the right people,” said Kuhr, “and that gives us an advantage.”
This recruitment method is inherently exclusive, involves requesting personal information upfront from researchers and includes non-disclosure agreements. With this framework in mind, there’s no central leaderboard or open platform to view available contracts or opportunities on Synack’s website.
On average, researchers connected to Synack’s platform are paid about $650 per vulnerability they discover. Some have been paid upwards of $30,000 for uncovering critical bugs.
Synack, like HackerOne, has had no problem attracting private investment in the last 12 months. In April, the company raised a $21 million Series C funding round from a group of investors that included Microsoft and HPE. Over the last seven months, Synack has grown to just over 100 in-house employees, from about 60 the year prior. In addition, Kuhr said the business recently expanded into Europe after securing contracts with financial institutions in London.
Over the last four financial quarters, Synack experienced a 300 percent increase year-over-year in bookings for its financial services, retail and government business, a spokesperson said. The figure serves to underline a 100 percent year-over-year spike in both revenue and sales.
Like its competitors, Bugcrowd also recently raised capital. Last April, the firm was able to raise a $15 million Series B funding round in order to “accelerate customer and crowd growth, pursue strategic partnerships and accelerate engineering and R&D efforts,” according to a company statement. This investment followed 10 consecutive quarters of revenue growth.
A crowd, indeed
Over the past year, Bugcrowd grew from about 50 employees to over 100, said David Baker, vice president of operations. In addition, the company’s researcher community increased in size substantially. There are about 60,000 registered Bugcrowd user accounts, of which roughly 20,000 are active. Around 3,000 work a nearly full-time basis. The average payout per discovered critical vulnerability is $1,796, and it’s over $1,000 for all bugs.
Baker declined to discuss whether Bugcrowd was in the process of speaking with investors to raise a new round of fresh capital.
At the moment, Bugcrowd is running approximately 490 paid programs, which is roughly three times the amount they were running at this time last year. Those programs are paid for by a total of about 460 active clients, also about three times the number from last year.
The company counts Fitbit, Motorola, Tesla, TripAdvisor and Western Union among its customers.
The business model is similar in nature to HackerOne in many ways, but Baker said Bugcrowd functions more like a managed services company by working hand-in-hand with clients to run their bounty programs. About 65 percent of clients run private programs that aren’t widely advertised on the company’s platform.
Adolescence isn’t easy
While expansion doesn’t appear to be a problem, the industry has faced other more divisive challenges amid its gold rush.
HackerOne, for example, faced scrutiny in May after Mickos posted a message on Twitter stating that HackerOne would be willing to work with FlexiSpy, a commercial spyware vendor known for providing surveillance tools designed to spy on everyday citizens.
In response, Bugcrowd CEO Ellis also took to Twitter to announce that his company would do the opposite by declining any service. Supporters of the two companies argued on social media about the efficacy of each decision. While the debate played out, FlexiSpy and HackerOne never went into business with one another.
What followed was an internal discussion at HackerOne about ethical considerations surrounding customer selection. Leadership concluded that FlexiSpy, and other morally ambiguous prospective clients, should in most scenarios have the ability to register for the free, open disclosure programs on HackerOne’s website, but they would not be officially serviced by the company’s vibrant community of researchers. In the future, these types of decisions to possibly deny service to a prospective customer will be made on a “case-by-case basis,” said Mickos. HackerOne published a blog post about the matter on May 4.
“[The Flexispy debate] was an important moment for us,” said Mickos. “It let us really think about and work through something we hadn’t faced before … and we’re now better prepared for it.”
Kuhr said his company’s business model has helped him avoid the issue of denying service to a suspicious client. But nonetheless, he too would consider denying service to prospective customers on a case-by-case basis. “We are supporters of human rights and we understand, because of our backgrounds, issues that could arise if a company like ours worked with a hostile country or spyware vendor or something like that,” said Kuhr.
Mickos and Kuhr said they’ve never been approached by the U.S. government, or any outside party, to decline service to a client. They’ve also never received a request from the government for information concerning the researchers signed onto their platforms.
Ellis was more direct than his competitors. He strongly emphasized his opinion on social media that Bugcrowd would not help spyware vendors become more secure by allowing them access to his company’s services.