While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the “Application Crowdtesting Services” category.
We have compiled the top 5 most promising bug bounty platforms for those of you who are looking to enhance your existing software testing arsenal with knowledge and expertise from international security researchers:
Being a unicorn backed by numerous reputable venture capitalists, HackerOne is probably the most well-known and recognized Bug Bounty brand in the world.
According to their most recent annual report, over 1,700 companies trust the HackerOne platform to augment their in-house application security testing capacities. The report likewise says that their security researchers earned approximately $40 million in bounties in 2019 alone and $82 million cumulatively.
HackerOne is also famous for hosting US government Bug Bounty programs, including the US Department of Defense and US Army vulnerability disclosure programs. Like some other commercial providers of Bug Bounties and Vulnerability Disclosure Programs (VDP), HackerOne now also offers penetration testing services stuffed with vetted security researchers from around the globe. HackerOne has a solid portfolio of security certifications, including ISO 27001 and FedRAMP authorization.
Founded by cybersecurity expert Casey Ellis, BugCrowd is probably the most creative and inventive Bug Bounty platform. BugCrowd actively promotes not just the traditional crowd security testing services but also attack surface management and a broad spectrum of penetration testing services for IoT, API, and even network, staying ahead of their competitors on the rapidly growing crowd labor market.
BugCrowd also aptly advertises numerous Software Development Life Cycle (SDLC) integration capacities, making the DevSecOps workflow faster and easier for their wealthy clients.
BugCrowd is famous for hosting Bug Bounty programs for such industry giants as Amazon, VISA, and eBay, as well as the venerated (ISC)² cybersecurity education association. Many beginners in the security research are well familiar with BugCrowd thanks to the BugCrowd University, ongoing security webinars, and training BugCrowd smartly organizes both for their customers and researchers.
The skyrocketing OpenBugBounty project is the only non-for-profit vulnerability disclosure and Bug Bounty platform on our list. Its Alexa rank says OpenBugBounty is about to surpass most of its commercial competitors successfully.
With over 1,200 active Bug Bounty programs, OpenBugBounty also permits coordinated disclosure of security issues on any website if the issue was detected by non-intrusive means. Bug Bounty program creation is totally free, and the website owners are not required to make monetary payments to the researchers – but are encouraged at least to thank the researchers and provide a public recommendation for their efforts.
OpenBugBounty hosts Bug Bounty programs for such companies as A1 Telekom Austria and Drupal, with over 20,000 security researchers and almost 800,000 security vulnerabilities submitted so far. The platform says its policies and disclosure processes are based on ISO 29147 standard.
OpenBugBounty also cooperates with national CERTs and law enforcement agencies by providing them with a free API to the platform while keeping vulnerability details confidential unless a researcher discloses his or her findings to the public.
Backed by many renowned VC funds, including Intel Capital and Kleiner Perkins, SynAck was named “CNBC Disruptor” company four times in a row, from 2015 to 2019. SynAck stands atop commercial Bug Bounty platforms, also named in Gartner’s Top 25 Enterprise Software Startups.
Founded by Jay Kaplan and Mark Kuhr, security visionaries and reputable veterans of the US national security agencies, SynAck offers an elite team of thoroughly vetted cybersecurity researchers known as “Red Team” (SRT). According to SynAck, the SRT group is composed of security experts with verified backgrounds and credible industry experience.
SynAck successfully positions itself as the leader in trusted crowd security testing services by performing comprehensive due diligence on their Red Team and recording all their activities for future analysis or review. Finally, SynAck has successfully developed partnerships and technology alliances with the industry leaders, including Microsoft, AWS, and HPE, demonstrating strong potential for further growth.
YesWeHack is the rising star of our rating for 2021. The only European Bug Bounty and vulnerability disclosure company, YesWeHack efficiently attracts EU-based companies whose main concern is strict privacy and data protection. Recently, YesWeHack announced a record 250% growth during 2020 in Asia, demonstrating that European startups are capable of scaling globally.
Similar to BugCrowd, YesWeHack is well prepared to invest in its human capital. Last year, it launched a training program to help Bug Bounty hunters hone their hacking skills with the YesWeHack DOJO platform. It features introductory courses and training challenges focused on specific security vulnerabilities and playgrounds.
With DOJO, security researchers from all over the world can improve their software security testing skills. Finally, YesWeHack persuasively demonstrates its capacity to attract reputable European customers such as the French OVH conglomerate.
Bug Bounties have started their transformation from pure crowd security testing to all-in-one cybersecurity platforms, offering classic penetration testing and a myriad of other services. Today, it is difficult to predict how successful their offering will be against traditional MSSPs and cybersecurity vendors; however, Bug Bounties certainly created a new market niche with powerful potential.
While the open and free OpenBugBounty project brings maturity into the business, as the open-sourced Linux did against Microsoft decades ago, later giving birth to a multi-billion Red Hat business.
This is an indicator that the Bug Bounty market is becoming bigger and more competitive while the newcomers are still joining the game. We may probably expect even more Venture Capital and M&A deals fostering further expansion of the crowd security market.