Bugcrowd Blog

Building bridges between customers and researchers

Posted by Kymberlee Price on Dec 2, 2014 12:00:53 AM


I’m Kymberlee Price and I’m the newest addition to the Bugcrowd team. As the Senior Director of Operations I am responsible for the ongoing operational management, strategic growth, and skill development of Bugcrowd's crowdsourced security research team and their functions. That is a fancy way of saying that I will be responsible for building programs that optimize Bugcrowd performance for both customers and the Crowd.

Taking a step back in time for a moment… I started my career in security at Microsoft, shortly after Bill Gates wrote the Trustworthy Computing Memo. My first week in the Security Business Unit was the week MS03-026 (a Windows patch for an RPC vulnerability) was reverse engineered and an exploit published, ultimately leading to the Blaster worm. Needless to say, it was a crazy first few weeks in my new job.

The information security industry of today has vastly changed since 2003, but two things remain constant:

  • all software contains vulnerabilities
  • security researchers find vulnerabilities

While the relationship between software vendors and researchers has improved greatly over the last decade, it is still imperfect. There are unrealistic expectations on both sides, and it is hard to form trust that enables a productive conversation about what can and should be done. Disagreements about severity and risk impact are not uncommon. The level of detail in a vulnerability report varies widely, from vague and incomplete to incredibly detailed with proof-of-concept exploit code. Researcher expectations of fix timelines or issue severity are not always realistic, while vendors may underestimate risk or overestimate the amount of time they can take to fix issues without putting customers in harm’s way. Even the term “Responsible Disclosure” is rife with conflict, as all the responsibility appears to be on the researcher (report privately) and none on the vendor (fix whenever). Add the fact that most small-to-medium sized companies don’t have a dedicated security response team staffed by security professionals, and the field gets a lot harder for both sides to navigate effectively.

This is where I see exciting opportunity at Bugcrowd, an opportunity to not only materially improve the security posture of Bugcrowd customer apps, but improve the state of vulnerability disclosure and security development. Bugcrowd’s long term vision for information security has created a culture committed to helping both customers and researchers improve their security abilities. A few of the interesting initiatives I’ll get to tackle:

  • Help researchers deliver high severity, high quality vulnerability reports that are actionable and communicate impact easily to developers.
  • Help researchers develop skills to improve their effectiveness and vulnerability reward earnings, as well as their career opportunities.
  • Help developers improve their Security Development Lifecycle through vulnerability trend analysis and incident response mentoring, so they can target internal training efforts to result in writing more secure code.
  • Help Bugcrowd customers connect with the security research community at large.

The Bugcrowd team understands that building a successful crowdsourced security testing team that meets the needs of professional software companies is a challenge that requires balance. A balance of defense and attack, a balance of risk and impact, and a balance of what is possible and what is a real world threat. Vulnerability discovery is only the start.

We’ve got work to do. Let’s go.

-Kymberlee Price
Senior Director of Operations

LinkedIn | Twitter

Running Your Own Program, Bug Hunter Tips and Tricks
Kymberlee Price

Written by Kymberlee Price