What makes crowdsourced security work? In a word: collaboration.
Collaboration is also the oil, fuel, and accelerant that makes much of the world around us function as well. Without collaboration there would be no moon landing, no Macintosh, nor countless other innovations and breakthroughs. The Internet itself is nothing more than a series of computers collaborating—born out of humans collaborating to create systems that now function and collaborate with each other on their own. To say the world runs on collaboration would be an understatement. Collaboration begins with shared interests, mutual respect, and common goals.
When it comes to any crowdsourced security program, there is nothing more powerful or a greater predictor of success than that of our good friend: collaboration. By definition, crowdsourced security requires two parties: the organization and the security researcher – neither side completes the equation in and of itself. The organization is needed to create an attractive and hospitable environment for the security researcher to work within, and the security researcher needs the consent and responsiveness of the organization to perform their best work. Crowdsourced security cannot function without the collaboration between an organization and the security researcher(s), which is the reason Bugcrowd has created a platform to enable, facilitate, and reward such collaboration.
To be collaborative, both sides rely on a shared sense of mutual trust and respect – where researchers and organizations operate in a mutually beneficial manner – each keeping the interests of the other in mind. Particularly in the world of bug bounty, this is on high display as organizations create programs that are designed to be attractive to researchers via competitive scopes and rewards, while researchers are incentivized to provide submissions of value to the customer, which are then rewarded based on their severity.
But as anyone who has worked for a bad boss can attest to, when it comes to the researcher, it’s not just about the paycheck; and conversely, when it comes to the organization, it’s not just about the submissions. An unresponsive or dismissive organization, no matter how good the rewards, will deter talented researchers from participating in their program. And conversely, no matter how talented the individual, an abusive, unprofessional researcher is one that no organization wants to deal with.
The rub of it all is that while we place labels on things, in reality, there is no such thing as a “dismissive organization”. There’s something we all tend to forget when we’re behind a keyboard: everyone we interact with is a human (unless it’s a bot, of which there are many, and it’s increasingly hard to tell the difference). When one sends a message in either direction, it’s not going to an “organization” or some nondescript inbox to be processed entirely by a robot. The message is going to a human with the same needs, wants, and desires that we all share. Unfortunately, it’s really easy to forget that.
No matter what or who we’re interacting with online, it’s all too convenient to lob accusations or insults that we’d never do in person. Internet bravado is so common that “keyboard warrior” is actually a term that’s now in the Cambridge English dictionary . I personally fall prey to this rapid-fire mechanism that enables me to hurl my unprocessed thoughts into the cyberverse without so much as a second thought, let alone a first one (my deepest appreciation goes out to the good people who came up with the ability to edit Slack messages – you da real MVP). Point being: though it may seem that our cleverly crafted verbal missiles are being shot merely through cyberspace, they have incredibly real-life consequences and impacts—even from the digital world, you can still ruin someone’s day with just a few ill-advised or misunderstood words. This holds equally true no matter who or what you are—an organization, a researcher, or just someone who happens to be reading this blog. Everyone, in every interaction, deserves basic human decency and respect—even when disagreeing, it’s possible to disagree respectfully, and leave both parties’ dignity intact.
And yet, it is not always the case that we are treated with decency. It is unfortunately common for people to be abusive or disrespectful in one way or another whether on a submission itself, or as a Twitter/Discord/Facebook/etc troll. But even in those situations, the absence of respect from the other side does not preclude one from their responsibility as a human being to practice human decency and civility in return. Even if the opposing party won’t take the high road, it is still possible for us to take it, and it doesn’t cost us a cent to do so. At the risk of being preachy (though I think I crossed that line many paragraphs ago), may I encourage you to always take the high road. Not just for your sake, but for the sake of remembering that you/I/we are humans. Nobody lacks a valid reason to be a little on-edge these days, and for that reason alone, it’s even more important than ever to treat each other with decency, dignity, and respect – knowing you would prefer they do the same to you, even if they don’t.
Of course, all this talk has to lead somewhere. I almost wanted to leave this note simply as a reminder to be kind to one another, and to remember not only your humanity, but the humanity of everyone else around you – both physically and virtually. But alas, I do have an ulterior motive to get to, and that is to talk about Bugcrowd’s Code of Conduct – which applies to both Bugcrowd and its researchers.
In the Bugcrowd Code of Conduct, the very first core value is to “be kind”, followed by the second as “be respectful and professional in your communications and behavior”. It’s worth highlighting that “respect is king” is a core Bugcrowd value and tenet, as outlined in this 2015 blog on our first principles. Both respect and kindness apply both inside and outside the Bugcrowd platform when communicating about your submissions, experiences, or otherwise.
We expect all parties to engage and maintain professional dialogue in all settings and circumstances as it relates to working with/on Bugcrowd. How and what you communicate around things not relating to Bugcrowd is your decision to make (though may I yet further encourage you to always take the high road), but when interacting with researchers (even from one researcher to another), organizations, or staff, all involved parties will be held to the Bugcrowd Code of Conduct, and the required disciplinary actions will be conducted where applicable. This policy has been somewhat relaxed historically, but is a point of emphasis going forward as we look to continue to foster an inclusive, diverse, and professional platform and community. To be clear: abusive, intolerant, and unprofessional behavior towards researchers or members or organizations will not be tolerated. Once more, the sharing of your opinion and perspective is encouraged. If you feel things are not the way they should be, that dialogue is the root of all progress. However, there is no place for abusive or inflammatory interactions when it comes to crowdsourced security, regardless of the forum. We are fortunate that the Bugcrowd community of researchers, employees, and customers live by these principles. We see the benefit of this everyday—collaboration driven by trust and respect creates a marvelous closed loop circle that rewards all participants alike!
For 99.999% of those reading this, you’re probably like most people, and are already a reasonable human being that doesn’t need to be reminded to treat other humans with dignity and respect. However, in the unfortunate event that you feel you’ve witnessed or been the victim of abusive or unprofessional conduct, please reach out to us at firstname.lastname@example.org to file an incident, and we’ll perform a thorough review of the situation, and proceed with any necessary actions as a result.
We look forward to continuing to connect incredibly talented researchers with organizations, and creating a hospitable environment that’s inclusive and enjoyed by all. Good luck, and happy hunting!