We can’t say this too often: Adopters of crowdsourced security are only as successful as the hackers/security researchers with whom they collaborate, whether it’s in a crowdsourced penetration test, bug bounty, or something else. A major ingredient in that success is the ability to match and activate the right hackers and/or pentesters for the task at hand–and quite often, the types of hacker roles involved also make a big difference in the results.
When evaluating the value of crowdsourced security, many people focus on the number of researchers who will be focused on your targets. While this is a logical approach, it’s just as important to consider the diversity of perspectives that a “crowd” can provide. For example, in a traditional penetration test, the findings usually reflect the perspective of a single “type” of tester (more on that below) –and that produces results aligned with that, albeit ones that conform to a methodology. In contrast, a genuinely crowdsourced pen test (not a “crowd-washed” one) inherits value from the full range of thoughts, approaches, and styles that only a crowd can provide–and that enables more comprehensive, intense testing to find more diverse types of bugs. Furthermore, it’s a strong signal that “pay for effort” (typical of an industry-standard pen test) and “pay for impact” (typical of a bug bounty) testing models are highly complementary.
At Bugcrowd, we think of hackers/pentesters as belonging to one of five distinct roles: Beginners, Recon Hackers, Deep Divers, Generalists, and Specialists. (It’s also important to keep in mind that over time, hackers/pentesters can and will journey from one role to another.) Each type has an important role to play in a given program, and those roles are relevant to how the Bugcrowd Platform’s CrowdMatchTM technology matches the right crowd to a customer’s needs, at the right time, across 100s of dimensions.
Next, let’s take a look at each type of role in more detail.
Beginners on the Bugcrowd Platform refer to those who are new to the concept of crowdsourced security in general, rather than just being new to the platform specifically. When assessing a hacker’s level of experience on the platform, we may consider factors such as their participation on other platforms or their published research and tools. However, if such information is not available, we may assume that the hacker is a beginner in the ecosystem, at least initially (although this may not always be the case).
It’s important to note that being a Beginner does not necessarily mean that an individual is unskilled, even if they’re only submitting P3/P4 issues. For example, they may be working through a course to broaden their skill set, or they may have limited public presence but already work as a pentester and want to further develop their skills. Typically, this type of hacker covers vulnerability classes that others may not focus on as much, including P4 issues related to authentication and authorization, as well as simpler infrastructure issues (such as DMARC).
Beginners add value in terms of coverage and consistency. Their participation in a program ensures, for example, vulnerabilities that would typically be found in a penetration test are also identified in a bug bounty program. The last thing we want is for a customer to follow a pentest with an overlapping bug bounty, and only then learn about a bunch of lower-priority items!
The Recon Hacker
Recon Hackers focus on identifying issues across the largest scope possible, so these individuals often discover P2/P3 issues that would not typically be found in a penetration test.
Over the past few years, Recon Hackers have dominated every provider’s leaderboard due to the proliferation of subdomain takeovers, particularly in ROUTE53 and EC2 takeovers. While these takeovers are now largely patched, the leaderboards are now askew, and thus the highest-rated hackers may not always bring the maximum level of impact.
It’s important to note that many recon-based hackers are highly skilled. However, many of those who take a recon-first approach have found a lucrative niche, and thus tend to focus on refining their toolkit to further exploit only that niche.
The Deep Diver
Deep Divers are the most valuable hackers for Bugcrowd to identify, engage, retain, and uplift. These are hackers who tend to focus on a particular program, learn as much as they can about it, and provide unique and distinct value. A Deep Diver can uncover vulns that nobody else can due to their persistence and long-term knowledge of how a program operates.
Identifying these hackers is best done by analyzing the content of their submissions–rather than just looking at the spread of vulnerabilities on a program–due to the unique nature of these findings.
Generalists take a multifaceted approach: They have a solid foundation in reconnaissance and utilize it to cover attack surfaces thoroughly, without relying solely on large-scale monitoring and tooling. Generalists also apply a deep-diving approach to evaluating assets, similar to the Deep Divers. While they may not spend as much time on a particular program as deep divers do, they invest considerable amounts of time across a variety of programs. Due to their dual proficiency in recon and deep diving, Generalists gain a reputation on the Bugcrowd Platform quickly and are highly valued.
Specialists are a rare breed who require specific sourcing for an engagement. They possess unique and rare skill sets, and typically have years of experience in a particular technology (e.g., APIs, AI, IoT, web3) or a specific Bugcrowd VRT category.
As you read in the introduction, one of the Bugcrowd Platform’s greatest strengths is its ability to source and activate specialists to meet a program’s specific skill-set needs. Due to their specialized knowledge, Specialists can uncover issues that other hackers may miss, and they often provide invaluable, unique solutions to a problem.
An Engineered Approach
To maximize the contributions of each hacker role, Bugcrowd is strategic in its approach to sourcing and engaging with them. For example, adding Beginners to a program that has been running for three months may lead to frustration and a high number of duplicates, while adding Generalists too early dilutes the ability for Beginners to up-level themselves through their findings. Therefore, program maturity is an important input for our platform’s CrowdMatchTM technology when it sources the appropriate roles.
To summarize, different hacker roles contribute to crowdsourced security programs in different ways, and it’s important to deeply understand the program’s needs to make the most of those contributions. To respect that process, unlike other providers that rely on leaderboards or coarse-grained methods, Bugcrowd’s engineered approach intelligently sources and activates the right role types and skills for your programs, at the right time.