Received your cold LinkedIn message... founder to founder, spending time on building a better product is always going to yield better results than scraping your competitor's launch announcement to send cold messages to all their commenters.
If you are going to reach out, I've always found it helpful when a company speaks to their differences and in a positive tone, rather than throwing shade.
The badge designs themselves are modeled after the badges generated by Shields.io. However, when the Tangram team was putting together our CI pipeline, we realized that we couldn't use a Shields-like service because most of our repositories are private (no public pings, you know).
So, since we're a Rust-heavy organization, we decided to generate our own badges during CI. Seeing that current Rust-based offerings were lacking compared to something like Shields.io... we just made our own!
Appreciate the kind words! Reaching out now -- would love to get you into our beta and work from any of your feedback. Finsight seems like a perfect use case and we're excited to dig in.
Just a quick preface: we started building Federacy a little over two months ago as part of this batch of YC companies. We’re a team of two FTE. Many or all of our assumptions could well prove to be woefully off-target. But.. we think that if we keep our heads down and build what the startups and researchers on the platform ask for, we can make at least a small difference in how startups can secure themselves.
A huge majority of the startups we’ve talked to don’t have a bug bounty program, haven’t worked with an outside pentester, and honestly, don’t know where to start.
Most startups don’t have a CISO or dedicated security team, so by “outsourced CISO” we mean: having a designated, vetted, and experienced person/team on-hand who can help with higher-level strategy and architectural decisions; essentially, a small piece of what you provide at Latacora. We think there are very few firms with your level of experience that are working with non-enterprise customers. Do you agree? Do you think there is a better description?
We’re at the very early stages of conceptualizing how we can make the high-level advisory services work. In talking to a bunch of talented security people at large Internet companies etc, we found a lot were interested in working directly with startup CTOs if they could make a significant impact and not have to deal with the tedious aspects of running a consultancy. Our thinking was that if we could build matchmaking on top of the VRP and other tooling we’re building, it could be an efficient way to connect the two and create a lot of value for both sides. What do you think?
I think the value of a bug bounty program probably comes down to the quality of the people doing the work and the willingness of the company to engage actively with the researchers. It’s our job to manage the balance between the researchers on the platform, and the active programs, so that both find value -- and ultimately, yield more secure startups.
We hope the best startups will use our bug bounty program alongside full-scope pentesting and a myriad of other outside resources. I think you see this done well at some companies that have really good security postures. Shopify, Dropbox, etc. have really strong internal teams, work with outside researchers, and still pay out a lot of bug bounties.
We're currently vetting researchers manually -- James and I are reviewing each registration and reaching out individually so we can pair them with startups on the platform. We’ll build out functionality to help over the long run, and are already tossing around ideas to infer trust through vouching, etc. But, we think it’s important to show our work early and get people using the platform to help guide these decisions.
We’re reaching out to researchers directly -- through our friends, the Y Combinator network, and even cold, if we find someone we think would be a good fit for one of our programs. It’s definitely self-selecting, to an extent, as we’re very much an early-stage startup ourselves, and the work they’ll be doing is with mostly early-stage startups.
Appreciate the heads up wrt H1 costs, edited the original post (edit: can't edit the original post, derp, but duly-noted). I think low five figures still puts H1 out of the reach of a lot of companies, and that a well-run bug bounty program can add a lot of value for almost every startup. I think there are probably tens of thousands of startups that really should be engaging outside security researchers, and, of course, that, in itself, creates a pretty big challenge for an already severe talent crisis.
To be completely forthright, we don’t know. Have you used Synack or Cobalt? Would love to hear your experience. We haven’t heard much about Cobalt, but there are some sharp people behind Synack.
That said, I don’t think there can be too many people trying to help companies secure themselves.
I think HackerOne and BugCrowd have <1,000 customers each. I’d guess Synack and Cobalt have less. I think less than 1% of YC companies have a bug bounty program -- and almost none below 50 employees have one.
We would like every company to have a bug bounty program, and that is what we’re tailoring our product to. (We’d certainly rather pay an outside researcher if they find a vulnerability than risk our customer’s data). Synack et al, I’m guessing, run tens to hundreds of thousand per month and accordingly, their software is focused on supporting a small number of large/enterprise customers. We think something important happens when you have tens of thousands of startups/companies using the same marketplace for bug bounties and pentests.
I think we probably all share the same general mission -- but our approach is a bit different: to build software that will be tailored to startups, and to have a lot more of them.
Hi James and William - congrats on founding Federacy.
I'm the CEO and Co-founder of Cobalt.io. I love startups and it takes a lot of courage to get going, so I applaud you for taking the leap and helping innovate in this space.
We started building the Cobalt.io platform back in 2013. We originally started as a bug bounty platform and since then evolved into a Pen Testing as a Service platform [PTaaS] over the last 5 years.
At the core, Federacy is a marketplace, and the surest way for us to constrain the transactions will be to make it difficult for startups to extract a lot of value. We’ll have to work hard on the tools (reputation, vetting, etc), for startups to trust and work with really talented researchers.
Not quite as important, I think, but also interesting is what tooling we can build to let researchers focus on the work they enjoy, and that adds the most value for startups. If we can make the reporting process more intuitive, they can focus more on research -- and less on writing traditional pentest reports.
We've tossed around ideas like this -- including something similar to how Numerai uses staking for their data science competitions. The security researcher would stake a small amount based on their confidence that the report is an impactful vulnerability.
I think it's an interesting idea, but could be complicated to get right. We’re also wary of creating barriers that are too prohibitive for some of the really great and hard-working researchers in the world.
I think an easy solution may be to build good vetting tools and a thorough process: a short application, technical interview, and/or trial periods for new researchers. Right now though, we’re personally reviewing every researcher. :)
A big part of this, too, is providing the environment where researchers can learn and emphasize their existing contributions. I think there’s a lot we can do there, while still allowing researchers to provide a lot of value.
Your experience is exactly why we're building Federacy.
Bug bounties can be an incredibly efficient way to work with outside security researchers to find vulnerabilities, test for best practices, etc., but done poorly, can cause more damage then they help. We want to make them work for startups as well as they do for companies like Dropbox, Shopify, and Google. We have our work cut out for us -- but if we're successful, we think it could materially improve how startups secure themselves.
All the dev teams we've been part of share the same challenges. We're always overburdened with work on revenue-producing features, so being flooded with more work that ultimately doesn't add much value in securing our software is the last thing we want.
Right now our solution for spam, dupes, and low-quality reports is to be extremely selective with the security researchers we allow on the platform.
We're launching in private beta so James and I can hand-pair researchers, help companies write their VRP, and review every vulnerability report.
Other ideas we’re working on:
- Very clear “Known Issues” / “Not Issue/Out of Scope” sections
- De-duping based on comparing report attributes
- Utilizing machine learning to improve de-duping based on description of vulnerability
- Collaboration. Encouraging companies to look at their approved outside researchers as a part of their team and building tools to facilitate this
Do you think any of these would help? Are there other ideas we should be focusing on that might solve these problems more efficiently?
My 2 cents: I used to work on the appsec team at Twitter and can attest that we could not get Mopub to ever resolve any of your security vulnerabilities.
Noise is certainly a problem on bug bounty platforms but our team handled all of that - by the time vulnerabilities reached you they were already valid, triaged, important issues to resolve.
> We're always overburdened with work on revenue-producing features
This is the bigger problem - if your leadership doesn't care about security then it doesn't matter whether you use Hackerone or Federacy or something else, it's still not going to be a priority. This was the case with RB, in my personal opinion.
Of course many companies do care or want to care but still need some handholding - I think Federacy can provide them a lot of value and wish you a lot of success in that.
Hah, yeah, this stuff is hard and acquisitions make it even harder.
I think you started a month after I left. We built a lot at MoPub in a short period of time and when we were acquired I had a mile-long backlog. The Twitter security team was great though and built a war-room during integration. We worked some intense hours leading up to the IPO and over the Holidays, and I’m proud of the work we all did. We migrated a sprawling stack that supported what was then the largest mobile ad exchange and billions of sub-second auctions over just a few weeks. Most of the MoPub team transitioned to other projects and teams quickly though and I left not that long after.
Totally agree that it starts at the top. If the C-level doesn’t care, there just won’t be the resources it takes to build good, secure software. We intend to focus on supporting companies who do care, and we think this focus will also impact how companies using Federacy interact with researchers. We want outside researchers to be viewed as allies, not as a burden.
Have any thoughts on how we can best accomplish this?
Every bug bounty platform has tried to be "selective" in the researchers they allow in when they start. You'll soon discover that selective doesn't scale.
The only way you are going to disrupt the current market is by hiring on your own salaried pentesting talent to participate.
What do you think caused being selective not to scale at other platforms? What do you think we can do to keep the quality of our researchers extremely high?
What we’ve heard in talking about this to a bunch of talented researchers is that they’ve been frustrated with payout rates (too low for amount of work), tone of the interactions between researcher and company, number of opportunities/companies where they can add value (given their skillset - many have said they do the work in large part to learn).
I think there is probably a lot we can do to create/keep balance in the marketplace to address a lot of these if we take things slow.
Would love to hear more of your thoughts on the strategy of building out our team with salaried pentesting talent. Why do you think that is critical to adding a lot of value for startups?
Thanks! Hardware startups are seeing the most benefit right now.
We've recently found that we also benefit design teams at larger companies when we design test fixtures, adapter boards, etc.. Removing the distracting work so the layout team can focus on product.
If you are going to reach out, I've always found it helpful when a company speaks to their differences and in a positive tone, rather than throwing shade.