Transcript

Pratik:
Hey, everyone. Pratik here, back with another video. Welcome to my CyberTalk series. This is a really special episode. Today, I will be talking to Casey Ellis, the chairman, founder, and CTO of Bugcrowd. As a security researcher, I truly admire his work, and I'm honored to have him work with us today. So welcome, sir, to my YouTube channel. And first of all, thank you so much for taking the time out and joining me on my channel. I am very honored to have you as my guest.

Casey:
Thank you so much for the invite. It's a pleasure to be here.

Pratik:
The first question: What are the challenges in running a crowdsourcing platform like Bugcrowd?

Casey:
I've been doing this now for coming up on nine years, and have been in the security space since long before starting Bugcrowd. The challenge specific to running a crowdsourcing platform: You've got to herd a lot of cats. There are people on the customer side and on the hunter side, they've all got their own opinions, they've all got their own individual skills, they've all got their own points of view. Ultimately, our job in the middle is to try to help everyone understand each other in a way that allows them to pass information back and forth and create value.

Casey:
That is just the fundamental challenge of the space itself. It's good because Bugcrowd and the crew, my co-founders and I, recognized the need to focus on that pretty early on in the piece. But it's a never-ending thing. Vulnerabilities aren't meant to be there in the first place. There are different levels of understanding of that truth, so our primary job is to get everyone on the same page.

Pratik:
Yeah, that's great. The second question is, what strategies do you employ to onboard into bug bounty programs, and who approaches first?

Casey:
It's a combination of both. In the early days, it was all about us going to companies. I started my security career as a pentester, did that for about six years, and then moved into solutions, architecture, and sales. I built a reputation, trust, and credibility with folks. Then decided I wanted to be an entrepreneur, and Bugcrowd was ultimately a product of that decision. I went to my old customers with the idea for Bugcrowd, asked if it made sense to them and if they wanted to try it out and actually engage with the process. This is about eight years ago at the very beginning.

Casey:
The thing that shifted over time, bug bounty, and the white hat community's power, it really got a tailwind behind it. If you think of it in sailing terms when you've got the wind behind you, that wind came up about two years in as a part of our efforts and "right idea, right time". Suddenly, bug bounty was a thing that everyone was talking about and trying to understand and wanting to do. Then it became a mix of both. We'd be reaching out to organizations saying, "Hey, do you want to try this?" and then we had people picking up the phone and calling us as well.

Pratik:
I see some of your videos on YouTube. You're already a keynote speaker at conferences. Are you also doing bug bounty in your time?

Casey:
Not as much as I'd like to these days. I've run businesses before Bugcrowd, but Bugcrowd was the first company I've been involved in that received venture capital and grown in the way it has.  What that's really put in front of me as something to learn is how to be a good executive, a good leader, grow a team, raise and manage capital, and those sorts of things?

How do you do all those kinds of business things which takes away from my time on the tools?

Casey:
What I spend most of my time on is as technical as it can now be working on policy. I'm a big believer in the fact that hacking should be better understood. Many of the laws that exist around computer hacking don't really understand the idea that there's this concept of a locksmith. The hackers I work with can do bad things but want to help. Most laws are based on the idea that you're automatically a bad person if you can break into a computer, so I spend a lot of time on the policy side trying to influence that and change that.

Casey:
I also do a bit of threat hunting and honeypot stuff. When big things happen on the internet, and the bad guys are going out and doing widespread new hacks, I get interested and jump into the middle of that. I'm involved in the CTI league and people defending against people that want to take advantage of COVID and stuff like that. Those are some of the ways I keep myself sharp.

Casey:
I don't do as much actual vulnerability research at this point in time as I'd like to, and I definitely did a lot more back in my day. But then I get to work with people like @hakluke, who you had on the other day, like @codingo, @jhaddix and @vortex. These folks are gifted. They want to learn more, they want to teach more, and they're really good at what they do. Almost through osmosis, I get to pick up the things that they're learning along the way, which is pretty great.

Pratik:
Yeah, okay. So the next question is how you decided to start a career as an entrepreneur in infosec? So that too as Bugcrowd? And initially, people will think to offer pentesting services or bounties, but why a crowdsourcing platform?

Casey:
Yeah, I think that's an excellent question. In terms of the decision to become an entrepreneur in the first place, honestly, I just thought I could. That's what it really came down to.

I'm like, "You know what? I think I could probably do this. I've got ideas. I can see where things are going and what's going to be needed in the future. I feel like I can build those things ahead of time in a way that's going to create value and solve problems. So, now I want to see if that's true or not." It was almost like this self-competitive thing that kind of drove me to become an entrepreneur in the first place.

Casey:
With crowdsourcing itself, the company I was doing before Bugcrowd was a pentesting company. And the way that we operated was. Basically, we had many resellers in Australia, where I'm from, that could sell this type of work, and that needed to deliver this type of work but didn't have the people to do it. In the meantime, I had all these friends in other parts of the world that were really highly-skilled but weren't connected to Australia's opportunities. What I did was spin up a pentest company that basically white-labeled their services through these resellers to make up for the skills gap in the Australian market.

The thing is that the skills gap exists everywhere. It's not just an Australian problem. It's one in the US, one in the EU, and one all around the world.

Casey:
So that was great. That was working really well. But it left me with this kind of nagging sense of it's not good enough. When you think about what we're doing, there are millions of people writing code, producing software, and making decisions about how systems are built. Humans are really excellent at a whole bunch of stuff, but we're not perfect. Sometimes when we make a mistake, sometimes that mistake creates a vulnerability. So, okay, that's our problem space. Then you've also got this massive crowd of potential adversaries that want to take advantage of those mistakes to find a way to break in. Then there's Bill the pentester in the middle, or Jane the pentester, or the scanner, or whatever you're doing to try to stay ahead of all of this. Ultimately can't outsmart all of that human firepower and that creativity that create the problem in the first place.

Casey:
It was really this idea of how do we level the playing field? There are millions of white hat hackers worldwide that are pretty much at the table waiting for an invitation. How do we plug them into the problem? How do we actually get them active in becoming a part of the solution?

Pratik:
Okay. And so the next question is, what makes Bugcrowd different from other such platforms?

Casey:
I get asked that one a lot. Honestly, we've really focused on being thoughtful of all of the people that are involved. You asked me the question before, what's the most challenging thing? It's that there are humans involved. At the end of the day, you've got a bug hunter that's reported an issue. You've got a program owner or an engineer on the other side that's trying to interpret that issue and figure out if it's valuable or not. There are all sorts of different ways that can go down.

How can we, as a company, make that as consistent and as likely to succeed as possible? Bugcrowd has been prioritizing that since the get-go. There's something to be said for abstracting that out and just saying, "Cool, this is how the platform works. Just deal with it." We chose the other road and really do put a lot of work into making it successful. That's a core principle.

We were also first to market. We were actually the first to launch a bug bounty program in this space. That's something that I'm pretty proud of, having kicked off an industry that's now definitely not going away.

The other thing would be that I don't see bug bounties as the end of the story. I think the way that people think about this space is just that you put a reward out, some people show up, you find out where you're vulnerable, they get paid, you fix it, and you move on. Ultimately, I actually see what we're doing as a component of the future of work. Security is this huge, growing, distributed problem. All these people have their own creativity and ability to help. How many other ways can we plug them in? The difference is that's something we've been trying to solve since day one, and continue to extend into. I think that's something that actually makes us different because I don't see any other platforms actually doing that.

Pratik:
The next question is, how has COVID affected the program policies on Bugcrowd? We don't see much difference in payouts, though, has it affected Bugcrowd in any way?

Casey:
I would say that what we've seen on the customer side is that some companies have put their foot on the brake, and some companies put their foot on the gas. Some have said, "Okay, the importance of the internet to our core business; COVID reveals that and we need to move faster." They've gotten more active in trying to find ways to put the crowd to work to help them do it securely. Then you've got this other camp that has been like, "Oh my God, there's a pandemic, there are economic uncertainty and all those different things." Reasonably so, I'm not saying they're wrong, but they're in a different camp. They've put their foot on the brake and said, "Wait a sec, we need to figure out how this is all going to shake out before we can take the next steps."

Casey:
On the hunter side, really what we're seeing is, in general, a considerable uptake of people participating. There have been more submissions, more active researchers actually submitting bugs. And I would say that the criticality has increased as well. That's at least partly because people have more spare time. They're not commuting two hours a day to and from work. They're thinking about how to take better control over their livelihood and their career. And this is merit-based, so if they can be successful, they do it. There's a whole bunch of different factors there.

Casey:
Not to downplay all of the loss and the pain COVID is causing, because it's an objectively bad situation for many people, I feel very fortunate. Honestly, for anyone in IT to be in the place that we're in right now, because we're doing fairly well. Not to downplay the pandemic, but what it's done is it's really kind of highlighted how critical technology is as a part of the future of how we do most things. We're doing this over Zoom right now, which allows you to be where you are, and for me to be somewhere else. This is just a normal part of how most people do everything today, which wasn't true six months ago.

Casey:
There are all of these different examples where COVID has really reinforced that technology is genuinely a linchpin in how we do life. Which means that we need to secure it, we need to make sure it's safe. That's obviously helping Bugcrowd and helping the mission that we've got as an organization.

Pratik:
Yeah, okay. So the next question is, what motivates you? For example, like the technical challenge, an overt problem, or the helping the world, etc?

Casey:
I grew up the child of a science teacher, oo lots of physics, lots of math and all that kind of stuff, so I'm naturally fairly analytical. What I'll try to do is boil everything down to its simplest truths. I feel like I find something that's inarguable, then that becomes the principle that I operate from going forward. Those things motivate me. I think fundamentally, I'm super passionate about the pursuit of potential. I think everyone's got greatness, everyone's got their own giftings and their own kind of contribution they can make to humankind in them, including me.  I'm motivated about unlocking that in myself, and helping others unlock that in themselves too.

Casey:
I'm also fairly stubborn. If I see something that I think should be a certain way for the sake of it being like the right thing for everyone who's involved, THEN I'll tend to dig my heels in on that type of thing and just push on it. So there's a lot of different things. I think that whole idea of the pursuit of potential and just going for it because I believe I can and want to find out, that's something that really gets me out of bed in the morning.

Pratik:
Okay, that's a great answer. And our next question is, have you ever failed at anything? If so, how did you handle it, and what did you learn?

Casey:
Yeah, I love that. Yeah, totally. Bugcrowd is an overnight success story that was 20 years in the making. I've made all sorts of decisions, well-intentioned, and with the best information I had available, that turned out to be not quite right. For example, I did a startup with my wife shortly after quitting my job for the first time and decided to become an entrepreneur. We wanted to create an analytics platform for people selling stuff on eBay because I was selling things at the time. I'm also a musician, so I imported gear, sold it on, and did things like that. But I didn't factor in that eBay might also want to do what I was doing at some point. Eventually, they did, and they completely broke my platform. They took it over and did it themselves, and at that point, I was left with was nothing but the learnings. The value of that project pretty much went to zero overnight.

Casey:
That wasn't their fault. It was my fault because I didn't factor in this risk when I was building the business, to begin with. I didn't talk to eBay. If I'd have reached out and built a relationship as I was building the platform, then maybe they would have acquired that business instead of just basically shutting it down. So that's objectively a failure because it didn't work out as a company. I learned a bunch from that which I've since used in other ventures and in Bugcrowd.

Casey:
If you want to be an entrepreneur, it's not a straight path, ever. Anyone who's ever been successful at building a business, or starting an idea and having it grow, will say this. The further along you get in that journey, the more of these stories of decisions that you'd wish you'd made slightly differently kind of pile up. The trick is, do you bounce back from that stronger and smarter? Do you get back on the horse? Do you learn from failure and try not to repeat it again in the future? I think that's a universal truth when it comes to success. There's only so much you can learn in school. When you actually put it into action, that's when you know the chaos and the world's opinion and the market come into play. You've got to work out how to adapt to that. And that does involve failure which, if you're afraid of it, you're probably not going to succeed in the first place. You've got to be able to actually move forward.

Pratik:
Yeah, okay. The next question is, is it possible to build a wildly successful company without burning out or damaging other parts of your life, like family, health, etc.?

Casey:
I believe it is. Business history and the internet is littered with stories that will tell you that it's not possible to build a company without damaging the rest of your life. I don't think that's true. We got Bugcrowd into an accelerator program kind of like Y Combinator, but in Sydney, it's called Startmate. I got introduced to all of these successful entrepreneurs and other people that I then engaged as mentors. I noticed a lot of them were divorced, a lot of them were on their second or third marriage, and many were estranged from their kids. That's not necessarily a diss on them. Sometimes that just happens.

Casey:
But what it forced me to think about was, "How do I prioritize my wife and two kids against my business and figure out how to maintain a balance between those two things?" Because if I don't do that, naturally, the business will just grow and try to consume everything, and I'll end up damaging my family, as you said. It was actually an excellent lesson, using that as a kind of forcing moment for me to think about how I would approach that.

Casey:
So to your question, is it possible? I think it is, but you have to be very deliberate about it. You're creating content. Suddenly, that becomes wildly successful, and it becomes all you want to do at the expense of everything else. That's just what will happen, so you have to decide whether or not other things are essential and, if they are, how are you going to balance that out? It's something that you've got to continually revisit and always be mindful of, I think.

Pratik:
Yeah, that's totally true.

Casey:
Always just get started, but then know what your priorities are. If you decide "Cool, I want to do this thing, but I'm not going to sacrifice these other things," then learn how to keep them in balance and actually start to build the discipline into how you operate. That gets you all of what you want. The alternative is that you just let your family fail, and focus on your business, and maybe it'll work. That's what many people do, and it's not the choice I'd make, but there are many examples of that being successful for the business. Taking a moment to list out the most important things to you and then figuring out how you prioritize is a crucial thing to do.

Casey:
If you decide that family's important and your family starts to become challenging to manage because you're so wrapped up in business. It is a pretty good barometer of your management and leadership in your company. It's like, "Oh cool, I've decided that I don't want to compromise my family for the sake of my business, but I'm doing that anyway. Am I being mindful about my business, or am I actually creating  points of risk or points of lack of scalability in what I'm trying to build?" So yeah, it's a journey. The simple answer is yes, I think it can, but it doesn't happen by mistake.

Pratik:
Yeah, okay. So the next question: If you had to come up with three words to describe the culture you want to create, what would they be?

Casey:
I think empathic. Empathy, actually thinking about the other person, not just what you're thinking about.

Humble in the sense that you know what you're good at, but you also know that you don't know everything. Humility allows empathy, so those two are tied together.

The third would be optimistic. We all want the internet to succeed. We like it, we're using it right now to do this. People that are listening to this are using a whole bunch of platforms to do that. We'd all like that to continue. We also know that there's a bunch of broken stuff, and it's very easy to become pessimistic. How can we choose to be optimistic and always be working towards a solution and a future, instead of just getting stuck thinking about the broken stuff?

Pratik:
That's a great answer. So the questions are over. So I guess guys, that's it for today. I would like to thanks Casey Ellis for joining the CyberTalk and sharing his knowledge and experience with our audience. It will surely help us in the future. It was an honor to host you, so thanks for joining.

Casey:
Yeah. My pleasure to get the invite, and it's always a pleasure to talk. For the hunters out there, you are the internet's immune system. It's an incredibly exciting space. Over my 20 years of cybersecurity, people didn't really care about what we do in the way that they do today, up until maybe five or six years ago. It's a really exciting time to be joining in the fight to make the internet a safer and better place. And I appreciate all of you getting involved.