|
Just a quick preface: we started building Federacy a little over two months ago as part of this batch of YC companies. We’re a team of two FTE. Many or all of our assumptions could well prove to be woefully off-target. But.. we think that if we keep our heads down and build what the startups and researchers on the platform ask for, we can make at least a small difference in how startups can secure themselves. A huge majority of the startups we’ve talked to don’t have a bug bounty program, haven’t worked with an outside pentester, and honestly, don’t know where to start. Most startups don’t have a CISO or dedicated security team, so by “outsourced CISO” we mean: having a designated, vetted, and experienced person/team on-hand who can help with higher-level strategy and architectural decisions; essentially, a small piece of what you provide at Latacora. We think there are very few firms with your level of experience that are working with non-enterprise customers. Do you agree? Do you think there is a better description? We’re at the very early stages of conceptualizing how we can make the high-level advisory services work. In talking to a bunch of talented security people at large Internet companies etc, we found a lot were interested in working directly with startup CTOs if they could make a significant impact and not have to deal with the tedious aspects of running a consultancy. Our thinking was that if we could build matchmaking on top of the VRP and other tooling we’re building, it could be an efficient way to connect the two and create a lot of value for both sides. What do you think? I think the value of a bug bounty program probably comes down to the quality of the people doing the work and the willingness of the company to engage actively with the researchers. It’s our job to manage the balance between the researchers on the platform, and the active programs, so that both find value -- and ultimately, yield more secure startups. We hope the best startups will use our bug bounty program alongside full-scope pentesting and a myriad of other outside resources. I think you see this done well at some companies that have really good security postures. Shopify, Dropbox, etc. have really strong internal teams, work with outside researchers, and still pay out a lot of bug bounties. We're currently vetting researchers manually -- James and I are reviewing each registration and reaching out individually so we can pair them with startups on the platform. We’ll build out functionality to help over the long run, and are already tossing around ideas to infer trust through vouching, etc. But, we think it’s important to show our work early and get people using the platform to help guide these decisions. We’re reaching out to researchers directly -- through our friends, the Y Combinator network, and even cold, if we find someone we think would be a good fit for one of our programs. It’s definitely self-selecting, to an extent, as we’re very much an early-stage startup ourselves, and the work they’ll be doing is with mostly early-stage startups. Appreciate the heads up wrt H1 costs, edited the original post (edit: can't edit the original post, derp, but duly-noted). I think low five figures still puts H1 out of the reach of a lot of companies, and that a well-run bug bounty program can add a lot of value for almost every startup. I think there are probably tens of thousands of startups that really should be engaging outside security researchers, and, of course, that, in itself, creates a pretty big challenge for an already severe talent crisis. What do you think? |