Bugcrowd helps you continuously find and fix critical vulnerabilities that other approaches miss by running penetration tests, bug bounty, vulnerability disclosure programs using a multi-solution, crowdsourced cybersecurity platform. One of the key benefits of that platform is the ability to activate the right security researchers, for the right customer needs, at the right time.

In October 2021, we introduced you to CrowdMatchTM, the machine-learning (ML) technology inside the Bugcrowd Security Knowledge Platform that makes a precisely curated crowd a feature of every Bugcrowd product. That post explained how crowdsourcing has outgrown outdated, coarse crowd-matching techniques, and how CrowdMatch’s innovative new approach creates opportunities for researchers to find issues based on their skills, industry expertise, interests, prior experience, and past collaborators on the platform. This leads to deeper, stronger crowd engagement and more impactful results for Bugcrowd programs. Why? Because qualified, motivated researchers will always produce more impactful findings and earn the rewards that go along with them.

CrowdMatch, like any other ML engine, just gets better as the data on which its trained gets better. Thanks to data spanning a decade–derived from the Bugcrowd Platform’s rich Security Knowledge Graph, which connects millions of data points about vulnerabilities, environments, assets/targets, and researcher profiles that we’ve curated over 1,000s of customer experiences–CrowdMatch has taken the value it delivers to researchers and users to an even higher level. In fact, CrowdMatch results versus previous matching methods are now touching triple-digit territory, with valid submissions up by 70%, payouts over 80%, and the number of P1s/P2s/P3s logged by researchers doubling!


How It Works

Let’s revisit the benefits of CrowdMatch and then take a quick look at how it accomplishes them: 

  • For researchers hunting on the Bugcrowd Platform, CrowdMatch serves a critical need: To help them find and/or receive invitations to challenging, motivating programs that are a good fit for their skills, interests, and experience. That leads to opportunities for higher rewards. (In fact, there’s a direct correlation between CrowdMatch, higher impact issues identified, and ultimately higher payouts – more on that below.) 
  • For Bugcrowd Platform users, CrowdMatch fills a gap in crowdsourced security today: Unlike other, coarse-grained approaches that treat crowd-matching as a one-size-fits-all (leading to weak engagement), with CrowdMatch, Bugcrowd users have access to highly curated/highly engaged crowds to meet specific needs on demand. That means they can extend their own teams in a highly targeted way – to bring, for example, a crowd of networking experts into a network pen test, or to swiftly double the size of an existing crowd for a private bug bounty by adding new researchers who have similar certifications, track records, and expertise. That translates into faster launches, faster program iteration for improvement, and higher-impact results.

How is that done? CrowdMatch uses a variety of techniques, such as cluster analysis, to find the best matches for any program. As mentioned previously, cluster analysis accuracy is enhanced by the quality of the data used for training–and our Security Knowledge Graph contains uniquely detailed data that no other provider can match. 

The Payoff
We’re confident that with this ongoing progress, CrowdMatch will continue creating the best match for delivering results to help improve overall security posture faster than we’ve ever seen before. These results are only the beginning, as there are other techniques that can be used to refine further and achieve even better results.