FLT is covering the 2013 Startmate accelerator program, which aims to help early-stage companies become enduring internet companies. Here, we introduce Casey Ellis and Serg Belokamen of BugCrowd.
Casey Ellis did his first pitch in front of the other Startmate companies and mentors on Monday, and did well considering he’d run out of time to prepare — the past few days had been taken up running the third BugCrowd bounty; a crowdsourced approach for companies to test their site for security vulnerabilities, or bugs.
Companies like Facebook and Google have been running bug bounties for years. The proposition is straightforward — by offering rewards for those who find a security flaw, you avoid the consequences of being hacked and having customer information stolen. Although, instead of running a bounty, most large companies have tended to engage expensive security consultants to test their systems.
“When you’re paying for time, people will take their time,” says Ellis. “Bug bounties worked for Facebook and Google and our initial experience shows there is a significant untapped market.”
So far there are 1,200 testers signed up to the platform. BugCrowd received more than 100 submissions for its current bounty, which ends today. In the first three hours of this bounty, they saw 80 hours of work completed by testers. Those who come up with the most creative or potentially serious security bugs will win the bounty and share in a pool of prize money — $5,000 for this current competition.
Testers are piped through the BugCrowd servers, in the hope of preventing more malicious hackers from using bounties as an opportunity to take a free-shot at a website. The founders hope the crowd effect will also alleviate any threat of people finding bugs and using them to later hack a service, or sell the information. Each bounty BugCrowd has run so far has uncovered a zero-day bug (a previously unknown vulnerability).
Eventually, testers competing on the site will be able to accumulate points for each bug they find. More advanced bugs will equal more points. Additionally, BugCrowd plans to offer a voluntary service for charities and not-for-profits: it allows BugCrowd to create more opportunities for people to compete in bounties, and helps groups which wouldn’t normally be able to afford this sort of service. The first trial took place last year with subscription toilet paper social enterprise, LooLoo Paper. Testers will benefit by accumulating additional points for any charity bounty they participate in.
BugCrowd founders Casey Ellis and Serg Belokamen (Image: Zach Kitschke)
“Just by the very nature of charities, they are vulnerable with security. They often take donations or payments online, and can’t afford expensive consultants,” says Belokamen.
It’s not the pair’s first venture. In 2011, they launched security testing consultancy, White Label Security. Introduced by a mutual friend, they met over a few beers and decided to partner. They’ve now hired someone to manage White Label Security, so they can focus primarily on BugCrowd. This time, the founders want to build a business that can scale fast and grow big. And to this end, the pair is focussed on getting as many customers as possible. Ellis and Belokamen have the benefit of a history in the industry and are working their way through their address book. They’re also building out their platform, currently an amalgam of other systems.
“We’re getting used to the routines, and learning about testing the market. We entered Startmate with a strong business model so now it’s just automating and improving that,” says Belokamen.
Settling into the Startmate offices has been a change for both founders. Ellis had been working from a home office in Sydney, while Belokamen had recently been working full-time for a large consultancy firm in Melbourne. They’re getting used to working in the same office too, having primarily worked over Skype and IM for the past year. One of the other challenges Startmate brings is the need for focus. Like all startups, there are so many things to work on — acquiring customers, perfecting the pitch, building the product — and limited time to do it all.
Focus is hard, particularly with limited resources and a ticking clock. Today is no different. They’ve been pulling long days while running this bounty; trying to keep customers and testers happy, and assess what changes they might need to make before running the next one. Meanwhile, they’re trying to attract new customers: Ellis and Belokamen are talking with journalists for the next few hours, in their first PR blitz. They’ve lined up interviews with ZDNet, the Sydney Morning Herald and tech blogger Stilgherrian. Finding the time to do all that’s needed can be tough.
“It’s especially so in this environment. You go from just having this idea and fitting it in when you can, to it being not only the only thing you’re doing, but you’ve only got three months to hit it,” says Ellis.
“Niki [Scevak] and the mentors have said you need to have one thing you’re focussed on. For us that’s happy customers, and lots of them. We only plan to do things that support that.”
While there is a market locally, Ellis acknowledges the need to focus elsewhere: “The problem we’re solving exists in Australia, but it exists on a much larger scale overseas. We also want to raise capital.”
“In the same way GitHub became a defacto resume for programmers, we want to become the resume for security people,” he says.