BugCrowd — a startup that taps its database of half a million hackers — has picked up a large sum — to help OpenAI and the US government set up and run bug bounty programs that reward freelancers who can find bugs and vulnerabilities in their code. Own cash award to further grow its business: $102 million equity round.
Common Catalyst is leading the investment, with previous backers Rally Ventures and Costanova Ventures also participating.
Bugcrowd has raised more than $180 million to date, and while the valuation was not disclosed, CEO Dave Gerry said in an interview that its last round, a $30 million Series D in 2020, “has grown significantly,” by comparison. One of the startup's bigger competitors, HackerOne, was last valued at $829 million in 2022, according to Pitchbook data.
The plan is to use the funds to expand operations in the US and beyond, including M&A, and build more functionality on its platform, which — in addition to bug bounty programs — also offers services including penetration testing and attack surface management, as well as training hackers to increase their skillsets.
That activity is technical but also human in nature.
Gerry jokingly describes BugCrowd's premise as “a dating service for people who break computers,” but in more formal terms, it's built on a two-sided security market: BugCrowd crowdsources coders, who apply to join the platform by demonstrating their skills. Coders can be hackers who only work on freelance projects, or people who work elsewhere and pick up additional freelance work in their spare time. BugCrowd matches these codes based on specific skills with bounty programs at work among clients. Those clients, meanwhile, range from other technology companies to any company or organization whose operations rely on technology to function.
In doing all this, BugCrowd is tapping into two important trends in the tech industry.
Organizations continue to build more technology to operate, which means more apps, more automation, more integrations, and more data moving from clouds to on-premises servers, from internal users to customers, and more. All of this means more opportunities for mistakes or bugs in the code – places where an integration creates a security vulnerability, for example; or lead to a piece of coding no longer working – and identifying those gaps requires extensive work.
Recent years have seen a flurry of new security tools powered by AI that aim to detect and remediate those gaps in a more comprehensive and automated manner. But it still doesn't replace the role of human hackers. Those hackers may work in a more manual manner or use automation tools to aid them in their bug-hunting efforts, but still play a key role in how that technology can be directed. As computer science continues to gain popularity as a discipline, it has produced many smart and technical people in the world who are willing to take on the challenge, if not for economic intellectual pursuits. The most successful bug bounty hunters can earn millions of dollars.
Gerry says the startup is growing 40% annually and approaching $100 million in annual revenue.
The startup is now primarily headquartered in San Francisco, and is actually based in Australia with Casey Ellis, Chris Raitke, and Sergey Belokamen (Ellis is still with the company as Chief Strategy Officer. It now has 500,000 hackers and is adding about 50,000 hackers to that number annually, after adding 2 Gerry says there are 1,000 customers.00 clients in the last year.
“Costanova has seen BugCrowd grow from an innovative concept for early adopters to a force multiplier for Fortune 500 companies,” Jim Wilson, partner at Costanova Ventures, said in a statement. .This next phase of growth under Dave's leadership will allow them to expand their product offerings to help security executives get more value from the crowd.We are excited to continue our partnership with the team to seize the significant opportunities ahead.”