| What does it mean to "contract an outsourced CISO" to a researcher who reported through a bug bounty program? What's an "outsourced CISO"? I think it's unlikely that "CISO" is the word you want to use in your copy. How are you vetting researchers? I logged in as a researcher, and it looks like it works just like H1 works: there are public bounties, and private ones for which admission is gated by performance on the public bounties. It is not the case that H1 typically costs six figures; typical costs for a startup on H1, with triage, are low five figures. We manage bug bounties for several of our clients (we run outsourced security teams for startups). If there's a problem we have with bounties, it's not getting enough submissions from them. Triage can be annoying (I kind of enjoy it), but we do full-scope penetration tests for each of our clients, and it's noteworthy how much more a real pentest finds than a bounty program. There are different incentives, different information available, and different kinds of work result. (There are things bounties do better, too; bounties are good for finding oddball XSS and CSRF problems, and good at corner-case web hygiene stuff). How are you attracting talent? I don't really understand the business model. Bounty researchers already have a bunch of platforms they can use if they want to do bounty-type scanning. Why are they using yours? |
A huge majority of the startups we’ve talked to don’t have a bug bounty program, haven’t worked with an outside pentester, and honestly, don’t know where to start.
Most startups don’t have a CISO or dedicated security team, so by “outsourced CISO” we mean: having a designated, vetted, and experienced person/team on-hand who can help with higher-level strategy and architectural decisions; essentially, a small piece of what you provide at Latacora. We think there are very few firms with your level of experience that are working with non-enterprise customers. Do you agree? Do you think there is a better description?
We’re at the very early stages of conceptualizing how we can make the high-level advisory services work. In talking to a bunch of talented security people at large Internet companies etc, we found a lot were interested in working directly with startup CTOs if they could make a significant impact and not have to deal with the tedious aspects of running a consultancy. Our thinking was that if we could build matchmaking on top of the VRP and other tooling we’re building, it could be an efficient way to connect the two and create a lot of value for both sides. What do you think?
I think the value of a bug bounty program probably comes down to the quality of the people doing the work and the willingness of the company to engage actively with the researchers. It’s our job to manage the balance between the researchers on the platform, and the active programs, so that both find value -- and ultimately, yield more secure startups.
We hope the best startups will use our bug bounty program alongside full-scope pentesting and a myriad of other outside resources. I think you see this done well at some companies that have really good security postures. Shopify, Dropbox, etc. have really strong internal teams, work with outside researchers, and still pay out a lot of bug bounties.
We're currently vetting researchers manually -- James and I are reviewing each registration and reaching out individually so we can pair them with startups on the platform. We’ll build out functionality to help over the long run, and are already tossing around ideas to infer trust through vouching, etc. But, we think it’s important to show our work early and get people using the platform to help guide these decisions.
We’re reaching out to researchers directly -- through our friends, the Y Combinator network, and even cold, if we find someone we think would be a good fit for one of our programs. It’s definitely self-selecting, to an extent, as we’re very much an early-stage startup ourselves, and the work they’ll be doing is with mostly early-stage startups.
Appreciate the heads up wrt H1 costs, edited the original post (edit: can't edit the original post, derp, but duly-noted). I think low five figures still puts H1 out of the reach of a lot of companies, and that a well-run bug bounty program can add a lot of value for almost every startup. I think there are probably tens of thousands of startups that really should be engaging outside security researchers, and, of course, that, in itself, creates a pretty big challenge for an already severe talent crisis.
What do you think?