|Hey all, we're James and William, founders of Federacy (YC S18). We're building a bug bounty platform for startups. (https://www.federacy.com)|
I was an early engineer at MoPub, responsible for security and infrastructure. By the time we were acquired by Twitter, we were 20+ engineers, but growing so fast that building software and systems securely was almost an impossible task. I found that there were never enough hands; I couldn’t peel engineers from revenue-driving features and it was really difficult to find contract or full-time security engineers.
William and I started Federacy to make it easier for startups to secure themselves. We think the key is to pair startups with extremely talented, outside security researchers to test their applications for vulnerabilities, review code, and help implement best practices—essentially serving as an outsourced CISO.
We saw that the best security minds we knew either weren't interested in a full-time role for a single company, weren’t able to work in the United States, or already had day jobs at the largest Internet companies. We thought that if we provided an efficient, no-bullshit way for them to do work that they enjoy, make a real difference in how startups secure themselves, and make money while honing their skills, we could unlock a huge amount of talent that wasn’t accessible previously.
We have a lot of respect for what HackerOne and BugCrowd have built, but they are focused on serving mostly enterprise companies with large engineering and security teams, who can afford their services. Their revenue comes largely from triaging the high volume of low-quality and automated/spam bug reports that come through their platforms. These services can be in the six figure range. It may be a good business, but that isn’t where our passion lies.
Startups can’t afford these services and the burden of triaging low-quality bug reports can completely overwhelm even the best dev teams, leaving them worse off than they started.
We think there is a better way:
• We hand-pair startups with a small team of pre-vetted researchers who are subject matter experts in your stack.
• Researchers test your infrastructure for vulnerabilities in an initial scan, and work closely with you to resolve issues and implement best practices.
• Your program can be private, where only you and the researchers you approve will have access to your program. You don’t have to provide source code and all initial testing is done with only the information and access your normal users have.
• We create your program for you and have you up and running in 5 minutes (or you can self-serve, if you prefer).
• We only charge for results (when a researcher finds a vulnerability).
We just started building a couple months ago and are looking for early feedback. Here’s an invite link we made for HN:
We’ll be around all day to chat and are very happy to answer any questions as well as discuss how we built our product, security-related topics (systems automation, vulnerability reporting, coping with imposter syndrome, etc.), what it's like building a startup with family (we’re twin brothers), or anything in between.
Some specific questions we have:
If you’re familiar with other bug bounty platforms, are there any issues we can tackle early on that made the experience frustrating for you?
Would you consider contracting an outsourced CISO or a pentest with a security researcher that has reported vulnerabilities to you through your bug bounty program?