[eganist]

Your bullets all line up with what Synack and Cobalt.io are doing. How do you differentiate from the two of them, who themselves are already competing hard with each other? Both of them strictly curate their test base, allow for strictly-private programs, allow for researchers to work closely with firms for resolution, can launch and operate your whole program, and charge per finding.

[wsul]

To be completely forthright, we don’t know. Have you used Synack or Cobalt? Would love to hear your experience. We haven’t heard much about Cobalt, but there are some sharp people behind Synack.

That said, I don’t think there can be too many people trying to help companies secure themselves.

I think HackerOne and BugCrowd have <1,000 customers each. I’d guess Synack and Cobalt have less. I think less than 1% of YC companies have a bug bounty program -- and almost none below 50 employees have one.

We would like every company to have a bug bounty program, and that is what we’re tailoring our product to. (We’d certainly rather pay an outside researcher if they find a vulnerability than risk our customer’s data). Synack et al, I’m guessing, run tens to hundreds of thousand per month and accordingly, their software is focused on supporting a small number of large/enterprise customers. We think something important happens when you have tens of thousands of startups/companies using the same marketplace for bug bounties and pentests.

I think we probably all share the same general mission -- but our approach is a bit different: to build software that will be tailored to startups, and to have a lot more of them.

[shark256]

Hi James and William - congrats on founding Federacy.

I'm the CEO and Co-founder of Cobalt.io. I love startups and it takes a lot of courage to get going, so I applaud you for taking the leap and helping innovate in this space.

We started building the Cobalt.io platform back in 2013. We originally started as a bug bounty platform and since then evolved into a Pen Testing as a Service platform [PTaaS] over the last 5 years.

During this evolution I did a lot of thinking around crowdsourcing freelancers for security testing. I'll recommend these two blogs around how the market has evolved over the years and the different cases where bug bounties make sense vs. pen tests and vuln assessments. - https://blog.cobalt.io/deconstructing-and-rewiring-bug-bount... - https://blog.cobalt.io/the-third-wave-of-application-securit...

I believe you are in the bay area. Feel free to ping me at linkedin or twitter and I'll be happy to meetup.

Cheers Jacob

[wsul]

Hey Jacob, thanks for the kind words, and taking the time to leave a comment. I'd love to meet up, pinging you now!