While Gartner does not have a dedicated Magic Quadrant for Bug
Bounties or Crowd Security Testing yet, Gartner Peer Insights
already lists 24 vendors in the “Application Crowdtesting Services”
category.
We have compiled the top 5 most promising bug bounty platforms
for those of you who are looking to enhance your existing software
testing arsenal with knowledge and expertise from international
security researchers:
1. HackerOne
Being a unicorn backed by numerous reputable venture
capitalists, HackerOne[1]
is probably the most well-known and recognized Bug Bounty brand in
the world.
According to their most recent annual report, over 1,700
companies trust the HackerOne platform to augment their in-house
application security testing capacities. The report likewise says
that their security researchers earned approximately $40 million in
bounties in 2019 alone and $82 million cumulatively.
HackerOne is also famous for hosting US government Bug Bounty
programs, including the US Department of Defense and US Army
vulnerability disclosure programs. Like some other commercial
providers of Bug Bounties and Vulnerability Disclosure Programs
(VDP), HackerOne now also offers penetration testing services
stuffed with vetted security researchers from around the globe.
HackerOne has a solid portfolio of security certifications,
including ISO 27001 and FedRAMP authorization.
2. BugCrowd
Founded by cybersecurity expert Casey Ellis, BugCrowd[2] is probably the most
creative and inventive Bug Bounty platform. BugCrowd actively
promotes not just the traditional crowd security testing services
but also attack surface management and a broad spectrum of
penetration testing services for IoT, API, and even network,
staying ahead of their competitors on the rapidly growing crowd
labor market.
BugCrowd also aptly advertises numerous Software Development
Life Cycle (SDLC) integration capacities, making the DevSecOps
workflow faster and easier for their wealthy clients.
BugCrowd is famous for hosting Bug Bounty programs for such
industry giants as Amazon, VISA, and eBay, as well as the venerated
(ISC)² cybersecurity education association. Many beginners in the
security research are well familiar with BugCrowd thanks to the
BugCrowd University, ongoing security webinars, and training
BugCrowd smartly organizes both for their customers and
researchers.
3. OpenBugBounty
The skyrocketing OpenBugBounty[3]
project is the only non-for-profit vulnerability disclosure and Bug
Bounty platform on our list. Its Alexa rank says OpenBugBounty is
about to surpass most of its commercial competitors
successfully.
With over 1,200 active Bug Bounty programs, OpenBugBounty also
permits coordinated disclosure of security issues on any website if
the issue was detected by non-intrusive means. Bug Bounty program
creation is totally free, and the website owners are not required
to make monetary payments to the researchers – but are encouraged
at least to thank the researchers and provide a public
recommendation for their efforts.
OpenBugBounty hosts Bug Bounty programs for such companies as A1
Telekom Austria and Drupal, with over 20,000 security researchers
and almost 800,000 security vulnerabilities submitted so far. The
platform says its policies and disclosure processes are based on
ISO 29147 standard.
OpenBugBounty also cooperates with national CERTs and law
enforcement agencies by providing them with a free API to the
platform while keeping vulnerability details confidential unless a
researcher discloses his or her findings to the public.
4. SynAck
Backed by many renowned VC funds, including Intel Capital and
Kleiner Perkins, SynAck[4]
was named “CNBC Disruptor” company four times in a row, from 2015
to 2019. SynAck stands atop commercial Bug Bounty platforms, also
named in Gartner’s Top 25 Enterprise Software Startups.
Founded by Jay Kaplan and Mark Kuhr, security visionaries and
reputable veterans of the US national security agencies, SynAck
offers an elite team of thoroughly vetted cybersecurity researchers
known as “Red Team” (SRT). According to SynAck, the SRT group is
composed of security experts with verified backgrounds and credible
industry experience.
SynAck successfully positions itself as the leader in trusted
crowd security testing services by performing comprehensive due
diligence on their Red Team and recording all their activities for
future analysis or review. Finally, SynAck has successfully
developed partnerships and technology alliances with the industry
leaders, including Microsoft, AWS, and HPE, demonstrating strong
potential for further growth.
5. YesWeHack
YesWeHack[5]
is the rising star of our rating for 2021. One of a European Bug
Bounty and vulnerability disclosure company, YesWeHack efficiently
attracts EU-based companies whose main concern is strict privacy
and data protection. Recently, YesWeHack announced a record 250%
growth during 2020 in Asia, demonstrating that European startups
are capable of scaling globally.
Similar to BugCrowd, YesWeHack is well prepared to invest in its
human capital. Last year, it launched a training program to help
Bug Bounty hunters hone their hacking skills with the YesWeHack
DOJO platform. It features introductory courses and training
challenges focused on specific security vulnerabilities and
playgrounds.
With DOJO, security researchers from all over the world can
improve their software security testing skills. Finally, YesWeHack
persuasively demonstrates its capacity to attract reputable
European customers such as the French OVH conglomerate.
Bug Bounties have started their transformation from pure crowd
security testing to all-in-one cybersecurity platforms, offering
classic penetration testing and a myriad of other services. Today,
it is difficult to predict how successful their offering will be
against traditional MSSPs and cybersecurity vendors; however, Bug
Bounties certainly created a new market niche with powerful
potential.
While the open and free OpenBugBounty[6]
project brings maturity into the business, as the open-sourced
Linux did against Microsoft decades ago, later giving birth to a
multi-billion Red Hat business.
This is an indicator that the Bug Bounty market is becoming
bigger and more competitive while the newcomers are still joining
the game. We may probably expect even more Venture Capital and
M&A deals fostering further expansion of the crowd security
market.