How does Detectify Crowdsource get the most skilled ethical hackers of the world to come together and have as broad an impact as possible? The answer – a bug bounty program, but not in the traditional way.
I am Carolin Solskär, Detectify Crowdsource Community Manager and I work closely with our ethical hackers to make sure we maintain an awesome experience for all our members with the shared goal to make the Internet more secure. Let’s talk about how Detectify Crowdsource is not your average bug bounty platform:
Ethical hackers founded Detectify. They built the company on the simple idea that the Internet is broken and that there should be a product to help fix it. This is not an easy mission, and our founders realized that their brainpower was not enough. They needed to involve more people, but could not hire all of them, so they turned to the power of the crowd.
If you find a security bug that impacts hundreds of companies, how would you go about reporting it to every single one?
In your bug bounty efforts, you may stumble upon a finding with a footprint more extensive than just the current asset. It’s something more systemic and may apply to other targets as well, including ones that you cannot legally test on. What would you do?
First, you would begin with finding out whether they have a Responsible Disclosure or a Bug Bounty Program before you run tests. Then for every vulnerable instance, you will need to make an individual report and submit them separately. This part can be extremely time consuming, and you will not reach all targets. Also, it is not likely to generate that much money for you, and the payout is not even always guaranteed.
In other words: this process is not scalable. If the desired outcome is to make the Internet safer, there needs to be a better way of distributing security knowledge.
“As a hacker, I’m a big fan of automation, and automation that periodically rewards you for your past research without lifting the same finger twice is amazing.” – eur0pa, member of Detectify Crowdsource
Detectify automates the knowledge of 200+ handpicked ethical hackers
As a hacker, you’re already familiar with different scripts and tools to help you with your recon work. Detectify automates the reporting of vulnerable instances to vendors on behalf of hackers. When you discover a vulnerability and submit a proof of concept to us, our security researchers will automate it using our sophisticated in-house scanning engines. Those scanning engines will find and validate that vulnerability across our broad range of customers.
We make hacking scalable
Detectify is not like other bug bounty platforms. Bug bounty programs have made collaborating with hackers more acceptable, but these only benefit one company at a time. Our approach is to source widely applicable research that can be automated to check our entire user base since there are similarities in the tech stacks. In turn, our hackers have a broader impact on Internet security.
Get a recurring reward
And perhaps the most differentiating factor; Detectify Crowdsource hackers get paid per hit as long as the module is live. This means that each time you submitted vulnerabilities appear in unique customer assets through Detectify services, you collect a bounty. You get a continuous flow of rewards for your work, rather than a one-time lump sum. The more widespread the vulnerability, the more companies you help, and the more money you will make.
“The best part of Detectify Crowdsource is that it’s like a passive income. You report one common vulnerability you’ve found and you could get hits on it for months to come” – Streaak, member of Detectify Crowdsource
The combo of automation and crowdsourced security will make the Internet safer
In the fingerprinting phase of scanning, we detect what technologies our customers run on their websites. Instead of holding onto this, we share this with our Crowdsource hackers so they can see what types of technology have more instances to check.
We also guide researchers to submit specific vulnerabilities that we think will affect our users. It could be a vulnerability that we know exists but that we don’t have a proof of concept for, which is the case for some Common Vulnerability and Exposures (CVE). You don’t have to be the original researcher to submit something to the Crowdsource bug bounty program. If you stumble upon a vulnerability online, and we have yet to implement it, we will gladly accept a detailed and well-defined proof of concept.
Bug bounties aren’t just for bug bounty hunters
We are not only looking for full-time bug bounty hunters to join the community. Pentesters, security-interested developers, and security hobbyists are welcome as well. We need diverse skill sets in our network to have a significant impact.
So what are you waiting for? Take our challenge and find out if you got what it takes to join our mission of fixing the Internet!
Apply to be a part of Detectify Crowdsource at https://cs.detectify.com/apply.
“To be honest, what I like the most is to see what modules other researchers are submitting. It pushes me to be a better researcher. For example, sometimes I see modules on frameworks that I’ve tested before. So seeing something new on it makes me think ‘how did I miss that? How could I have found that?’ And then I attempt to reproduce it.” – JR0ch17, member of Detectify Crowdsource
Detectify collaborates with ethical hackers to crowdsource security research from the forefront of the industry, so you can check for 2000+ common vulnerabilities. Our testbed includes the OWASP Top 10, security misconfigurations and subdomain takeovers submitted by the Detectify Crowdsource community. Try or buy Detectify. Sign up today for a 14-day free trial.