Creative defense: Crowdsource your hackers

If your organization is a worthwhile target, whether you know it or not, cyber attackers are crowdsourcing hacks to get past your defenses.

These evildoers have dozens of off-the-radar blog and chat locations in which to exchange hacking information and buy exploit code. They readily borrow from each other and from the many incremental improvements made by their dark-hearted peers.

Wouldn’t it be nice if the good guys had a similar advantage?

Enter CrowdCurity. Co-founded by CEO Jacob Hansen, CrowdCurity is an intriguing take on computer security. According to Hansen, CrowdCurity is a social network for security researchers and white-hat hackers, but it’s much more than that.

My favorite feature is the marketplace that matches skilled white hats with companies needing penetration testing and security reviews. I get emails from small-business managers each week asking if I can recommend a particular pen tester or security reviewer. I have lots of excellent recommendations for companies that have deep pockets, but not as many for the small and midsized firms.

CrowdCurity tries to bridge the gap by allowing any company to set up its own bug bounty program. Contracting companies use CrowdCurity’s website (and guidance) to setup a penetration testing contest to analyze one or more websites or services. The contracting customer sets the rules, scope, and bounties to be paid according to the severity of the bug.

One of the best features is that customers don’t pay unless real-life production bugs are found — and they pay only what they agreed on at the outset. CrowdCurity takes 20 percent of the bug bounty paid out. Alternatively, fixed-price programs can be created to limit payout exposure.

The contracting company ultimately defines how critical the bug is, which in turn determines how much white hats are paid. Payouts appear to fall on the $25-to-$1000 range. Knowing that some vendors have undersold criticality rankings in the past after they were submitted by hackers, I asked Hansen how disagreements were settled. He said that out of 150 contracts inked since the company was founded in September 2013, only a few have suffered from disagreements. In some cases, Hansen himself got involved as a mediator to help both parties reach an equitable settlement.

I asked what would prevent a white hat from getting mad at the proposed settlement and releasing a found bug publicly or to a higher bidder. Hansen said this had not happened yet, and any white-hat hacker would be bound by the nondisclosure agreement that the contract should contain. In addition, any white hat — or company, for that matter — acting in bad faith would be banned from future bug bounty programs.

CrowdCurity started with a focus on Bitcoin-related companies, which badly needed a good security review without spending too many Bitcoins. Business has spread fairly quickly due mostly to word of mouth and need. Customers and hackers get a site that tracks their efforts and bugs found, replete with status reports, dashboards, and bug tracking. Security researchers can be paid by Bitcoins, naturally, or by credit card. Testing can be one-time or contracted on a regular basis.

CrowdCurity is an excellent idea. Anything that brings skilled workers to a marketplace where their skills can be measured and appropriately compensated is a good development.