What is Crowdsourced Ethical Hacking?
Typically, companies hire specialized IT service providers to perform penetration tests on web applications and networks. These service providers function like medical practices. An appointment is made and a few weeks later the assigned experts take care of the project. For some years now, however, companies have had the opportunity to explore new ways and turn to swarm intelligence when carrying out penetration tests. So-called crowdsourced penetration testing platforms make this possible. These platforms maintain a global network of pentesters who are on standby and can search for vulnerabilities around the clock. These pentesters receive success-based rewards for verified vulnerabilities, similar to so-called bug bounty programs. Crowd sourced ethical hacking is a typical example of the gig economy in which a platform acts as an intermediary between a client and a service.
What are the benefits of crowdsourced ethical hacking?
Penetration testing platforms boast several advantages over traditional pentesting, including:
Access to a wide range of skills
In times of skills shortage, it is very difficult to find qualified pentesters. Through crowdsourced ethical hacking platforms, companies have access to a global pool of ethical hackers with diverse skills, who together can keep up with the rapid pace of cybercrime developments.
Crowdsourced ethical hacking platforms are often more than a simple middleman, in fact, they bring technology to the table that an individual pentester or small service provider cannot offer. These technologies aim to make the ethical hackers’ job on the platform as easy as possible and can automate certain parts of penetration testing.
Continuous testing and immediate availability
Crowdsourced pentesting allows clients to have applications and systems tested continuously. This continuous approach very much aligns with the way modern software is developed today. In addition, the lead time is very short. Usually, you can start your project in a few days.
The ethical hackers on the platforms are paid based on performance and for vulnerabilities found and verified. As a client, you therefore pay for the results of the testing activities and not for time spent, apart from the basic fees of the platform.
What are the disadvantages of crowdsourced ethical hacking?
Trust in the platform selection process is necessary
Pentesting inevitably means disclosing sensitive information to an external party. You don’t have a personal relationship with anonymous pentesters from the “crowd,” so you have to trust in the provider’s screening process. Of course, all major platforms assure a rigorous selection and monitoring process and to actively maintain their hacker community. Nevertheless, there remains the uncomfortable feeling that actors with bad intentions might be on the platforms.
While there has been a lot of activity in the crowdsourced ethical hacking market in recent years, the platforms are still primarily suited for performing pentests on web applications and perimeter assets. Internal penetration testing is practically much harder to implement. However, internal pentesting is becoming more and more important due to ever-increasing connectivity and the growing number of intrusion points.
Costs are highly variable with most providers, making them difficult to predict. Some providers offer a monthly flat rate, but this then represents a significant barrier to entry. No matter how the compensation model is designed, it can be quite expensive for clients. Therefore, crowdsourced pentesting is best suited for large companies that already have a lot of experience with pentesting.
Questionable compensation models
Only a small proportion of hackers on the platforms earn a significant income via their premiums. There is a high risk that effort and earnings are not in proportion, e.g., because one is not the first to discover a vulnerability and thus goes away empty-handed. Fortunately, the platforms are increasingly starting to pay for the work performed.
A look behind the scenes
The above criticisms are by no means the only ones. In a great investigative article by J.M. Porup you can take a deep look into the problems of the industry. You can find the article here.
List of the most popular providers
In the following, I would like to briefly introduce three well-known players on the market:
HackerOne brings together the largest hacker community, has the most customers, and has paid out the most rewards so far. HackerOne offers several crowdsourced security services, including penetration testing. The platform lists the following product capabilities:
– web and mobile applications
– external network
– internetfacing infrastructure
Click here for an overview. https://www.hackerone.com/resources/one-pager/hackerone-pentest-overview
Bugcrowd is the number two in the market and very similar to HackerOne. In the area of penetration testing services, Bugcrowd offers the following:
- Web App Pentests
- Network pentests
- API pentests
- IoT pentests
Many hackers are registered on both Bugcrowd and HackerOne.
Synack differs significantly from other platforms. First, the selection process for hackers is much more demanding, and second, the platform relies on a different pricing and compensation model. Overall, this results in a higher barrier to entry for customers and ethical hackers. It is also interesting to note that Synack is very keen to support the pentesters with technology, for example with AI-supported scanning through the platform itself.
Crowdsourced ethical hacking is an exciting phenomenon and global players seem to be particularly attracted to the concept. In the area of web application pentesting, the platforms offer an interesting alternative to classic penetration testing. However, as shown, there are some negative aspects in the industry, which we hear surprisingly little about from the platform providers’ side.
In the area of network penetration testing, I see no need to rely on crowdsourced ethical hacking in the long term. In this area, the level of automation via software solutions is being pushed higher and higher, ultimately reducing the need for manual activities that must be performed by humans. In this area, I would therefore rely on Breach and Attack Simulation and Automated Penetration Testing solutions instead.