CrowdCurity is applying the core principle of Bitcoindecentralizationto security by offering a crowdsourced marketplace of global security testers.
Its clients "are getting a solution that actually mirrors the threat; hackers are global so a business should have a global security testing team," says Esben Friis-Jensen, one of three co-founders at CrowdCurity. "If you're centralizing the work and making it locally-based it won't be as efficient and creative; you won't get the coverage you need to solve the security problem."
CrowdCurity, which has been live since September, has seen more than 50 businesses take advantage of its platform of more than 1,000 testers from all over the world, says Friis-Jensen. "Approximately 80% are Bitcoin businesses, mostly exchanges and wallets," he says.
Its clients include Vault of Satoshi, a Canadian Bitcoin exchange; Justcoin, a Scandinavian exchange; and Vaurum, a Bitcoin exchange targeting financial institutions.
Justcoin, which has 23,000 users, began working with CrowdCurity early on, learning about the company through the Reddit discussion site.
"In terms of reputation, working with CrowdCurity says, 'Hey, we know we're not perfect and we'll pay you to show us how.' I think that's an assuring standpoint," says Andreas Brekken, lead developer at the exchange.
Testers are paid only if they find a vulnerability. About half of testers are paid in Bitcoin, while the rest are compensated in U.S. dollars, says Friis-Jensen. CrowdCurity charges a 20% service fee per reward paid out.
CrowdCurity's clients have paid testers approximately $50,000, he says. Justcoin has paid testers about $500 in bounties so far, says Brekken.
"When we signed up with CrowdCurity we had nearly no money and set the rewards very low," Brekken says. "As we grow, we increase the reward levels as we become a higher-value target."
A "bug hunter," as Brekken calls the testers, found that Justcoin had forgotten to set an option that prohibits browsers from displaying its site embedded in other sites. To reveal the seriousness of the issue, the tester created a phishing site by embedding the Justcoin site to demonstrate how to glean usernames and passwords from users, says Brekken.
Justcoin fixed the issue before an attacker could exploit it, Brekken says.
Justcoin keeps its business constantly hooked up to the CrowdCurity platform so testers can continuously inspect its code.
Most companies keep their code on the marketplace, because "if you're always pushing new code, then you're potentially introducing new vulnerabilities so you need that continuous solution," Friis-Jensen says.
The vendor's four foundersall from Denmarkhave backgrounds as IT consultants. "We've seen the results-driven model is better than a pay-by-the-hour model especially for testing," Friis-Jensen says. The other founders are Jacob Hansen, Christian Hansen and Jakob Storm.