CISSP-qualified security consultants that participate in bug-bounty programs, but fail to win the top cash prize, can still claim the time they spend towards their continuing professional education (CPE) requirements after Australian startup Bugcrowd negotiated recognition with peak security body (ISC)2.
A growing security startup whose founders are currently ensconced in Silicon Valley with the hope of raising both profile and venture-capital funding, Bugcrowd manages bug-bounty programs in which third parties – large enterprises, government agencies, financial institutions, and other organisations – subject their systems to carefully controlled online penetration testing by security enthusiasts under tight non-disclosure rules.
The company has already run programs for Australian, US and Israeli organisations, including Google USA and others, with the aim of helping turn the tables on hackers while delivering a more cost-effective outcome for clients.
Instead of hiring an external pen-testing firm to have a few staff run a one-off audit, Bugcrowd clients contribute to a kitty that’s offered to a growing pool of interested security specialists, who can sign up to find and report bugs in the client’s software. The first to document and submit problematic bugs win cash prizes, often in the many thousands of dollars.
“The number of findings we get from doing security assessments in this way is far greater than what I’ve seen in the past from traditional testing, and for clients the value for money is a lot higher,” Ellis told CSO Australia.
“Cybercriminals, by virtue of their business model, have the economic advantage over businesses that are trying to defend themselves and can pay $2000 a day for a consultant. This levels out the playing field.”
Participants holding Certified Information Systems Security Professional (CISSP) qualifications can claim the time they spend on Bugcrowd bounty programs towards their accumulation of CPE credits, 120 of which are required on a rolling three-year basis to maintain the certification.
By maintaining a points system for regular participants to earn other rewards – and, now, by being able to offer hours-based CPE points as a sort of consolation prize – founder Casey Ellis believes recognition from (ISC)2 will elevate the company’s bug bounties from being an intellectual pursuit for hobbyist hackers into a regular skills-building exercise that just happens to improve the security of client organisations’ systems.
“Part of what we’re trying to achieve with this whole business model is to legitimise the concept of bug bounties in the popular understanding,” Ellis said, noting that CPE points aren’t available for paid work so Bugcrowd winners are ironically ineligible.
“If Bugcrowd participants submit a finding but they’re not the first to submit, they’re eligible for CPEs. This brings a depth of technical knowledge to the Bugcrowd events, and validation of the depth of technical knowledge to people who participate in them. It’s really good for the community side of things, but it’s also working incredibly well for customers.”