The threat of cyber-attacks has risen in the current COVID-19 pandemic, with many company employees working remotely and outside centralised company security systems. Now even small companies need access to experts in cybersecurity and penetration testing on an urgent basis. Though cybersecurity companies and IT experts can charge a large chunk of money for their services. Small organizations and startup businesses often don’t have much of a cybersecurity budget available. So they either opt for low-cost services or just ignore it. However, whether an organisation wants to tackle software security, penetration testing or bug hunting, crowdsourcing is a budget-friendly solution as it allows users to cherry pick specific services rather than take a whole package from a commercial agency.
What is “Crowdsourcing IT Security”?
Outsourcing work to hackers in the absence of an internal IT security team can be effective and efficient, though it can also involve risks if mishandled. It’s not a matter of throwing down the gauntlet to random, faceless hackers with dubious intentions.
- The hired hackers may not be expert, and may not provide the correct report.
- The hackers may not perform the security assessment and provide fake reports.
- Unethical hackers may take advantage of deficiencies they find in a system.
Intermediary crowdsourcing platforms thus provide a safer route to recruit ethical, trustworthy and competent hackers. They pre-vet hackers, deal with all the varied requirements, and provide authentic reports. Naturally a client will pay them a fee on top of the cost of the actual hackers, though it reduces the risk factors and saves time-consuming hassle.
Three Core Services Provided by IT Security Platforms
1. Vulnerability Disclosure
Exposing the flaws and leakages in a system is called vulnerability disclosure. Usually, third-party vendors, cybersecurity researchers, and even customers report bugs and flaws in the company’s software or hardware to make them aware of the plausible consequences.
If the company fails to remove the security flaws, after a certain period, third party vendors can opt for public disclosure of the company`s faulty system. To avoid public disclosure, companies must launch a vulnerability disclosure program to entertain and eradicate all the flaws and issues. Here, crowdsourcing intermediary firms come to rescue and help companies in launching the vulnerability disclosure program.
2. Penetration Testing
“Pentesting” tests a company’s IT system through hiring ethical hackers to penetrate the software and hardware and report leakages in the system.
Crowdsourcing platforms not only recruit pre-vetted trusted hackers for the task, they also prepare an agreement and deal with the legal formalities. This saves a client time and minimizes the risk of hackers illegally using the penetration reports they complete. Some crowdsourcing companies maintain a network of full-time hackers (as opposed to prt-timers or hobbyists), which further increases the reliability of their services.
3. Bug Bounty Programs
A bug bounty program is an invitation to security researchers and ethical hackers to report any bug or leakage they find in a system in return for low level of compensation. This program helps companies to learn about their security flaws without a major monetary investment.
The major problem with bug bounty programs is false reports, which can consume a good deal of a company’s time and resources. Intermediary crowdsourcing firms work as a frontline force for their clients and deal with all the reported bugs. They evaluate each report and discard false and unnecessary claims. They focus only on the major issues and report if there are any real bugs in the system. Once again, this saves a client’s time and helps them to deal effectively with vendors and cybersecurity authorities.
Major Platforms Delivering Crowdsourced IT Security
Synack is the leading crowdsourcing platform in the IT security sector, and is based in the USA. It has the reputation of being a top-tier outsourcing vendor with a focus on larger enterprises. It has a diverse team of hackers and freelance security researchers, working in 55 different countries, that ensure the best bug reports and foolproof cybersecurity to their clients.
This is another US-based platform in this sector, headquartered in San Francisco and operating in 30 countries. They are busier than ever, and as a sign of current relevance they have just raised $30 million of investment. Their main offering is a bug bounty programme.
Crowdswarm is a platform based in Dubai and delivers all-inclusive crowdsourced IT security. Although primarily built for bug bounty and penetration testing, this multi-purpose cybersecurity platform organizes security researchers from its large talent pool to find and report all typs of potential security breaches before they can be exploited, including critical vulnerabilities in the core infrastructure of data processing libraries.
What motivates the hackers?
The acute demand for trained cybersecurity personnel, and the restricted supply, have helped push security engineer salaries over $225,000. Most hackers consider themselves self-taught, with formalized cybersecurity engineering education yet to become the norm. It’s a sellers’ market: they help relieve some of the pressures on organizations while at the same time they can work when it fits their personal schedules, and for relatively high rewards.
Nearly nine out of 10 hackers are under 35, nine out of 10 are self-taught, and more than half have been doing it for over three years. Given the scarcity of recognised formal qualifications (though this is declining), those that aspire to a fulltime position can build a credible portfolio of experience through working on a crowdsourcing basis. In the meantime, all they need is web access and a secure payment method, and these predominantly male young adults who are high on income though maybe low on responsibilites can enjoy an archetypal digital nomad lifestyle.
Others are able to simply transition from hacking as a hobby to a lucrative side hustle. Though two-thirds of hackers covered in HackerOne’s recent report still said they do it “for the challenge,” and nearly as many hack just “to have fun.”
To sum up
Crowdsourcing IT security is the need of the hour. All companies, regardless of their size, need to strengthen their cybersecurity to secure their databases and software. Big organizations and larger firms usually have a big budget for security and can hire the services of both in-house IT teams and crowdsourcing firms. But for smaller firms and startups, crowdsourcing seems to be the best solution. They can either handle it themselves, or do a little research to find the most suitable security crowdsourcing platforms to match their needs and budget.
Has anyone among our readers recently either implemented tighter IT security through a crowdsourcing platform, or been a victim of a hostile hack and wish that they had?