Federacy

Bug bounties for startups

get it
#5 Product of the DayAugust 13, 2018

Federacy is the first bug bounty platform built for startups. Our security researchers pentest your site and let you know if you have any exploitable vulnerabilities. It's free, you only pay for results.

Around the web

Reviews

 +2 reviews

Discussion

You need to become a Contributor to join the discussion - Find out how.
Aazar Ali Shad@aazar_ali_shad · Automating GDPR Compliance
Great idea - is it system detected or person detected? What’s the pricing?
William SulinskiMaker@williamsulinski · Co-founder, CEO @ Federacy
@aazar_ali_shad it's all person detected. Our outside security researchers use their own tooling, of course.
Alexander Smekhov@asmekhov · Managing Director
Good idea, how the price will be regulated for bug bounty? What currencies do you accept?
William SulinskiMaker@williamsulinski · Co-founder, CEO @ Federacy
@bitrewards Thank you! Bug bounties are set by the companies. We provide guidance, based on what we're seeing work well in the marketplace. All programs are private right now -- between the company and the researchers that have been approved -- and we hand pair you with researchers. We currently only accept USD, but we're currently working on payments, what currencies would you like to see us add?
William SulinskiMaker@williamsulinski · Co-founder, CEO @ Federacy
Hey @chrismessina, thank you for hunting us! Super excited to share what we've been working at YC over the last few months with the community here on Product Hunt. Federacy is a bug bounty platform for startups. James was an early engineer at MoPub, responsible for security and infrastructure. By the time they were acquired by Twitter, they were 20+ engineers, but growing so fast that building software and systems securely was almost an impossible task. He found that there were never enough hands; he couldn’t peel engineers from revenue-driving features and it was really difficult to find contract or full-time security engineers. We started Federacy to make it easier for startups to secure themselves. We think the key is to pair startups with extremely talented, outside security researchers to test their applications for vulnerabilities, review code, and help implement best practices. We saw that the best security minds we knew either weren't interested in a full-time role for a single company, weren’t able to work in the United States, or already had day jobs at the largest Internet companies. We thought that if we provided an efficient, no-bullshit way for them to do work that they enjoy, make a real difference in how startups secure themselves, and make money while honing their skills, we could unlock a huge amount of talent that wasn’t accessible previously. We have a lot of respect for what HackerOne and BugCrowd have built, but they are focused on serving mostly enterprise companies with large engineering and security teams, who can afford their services. Their revenue comes largely from triaging the high volume of low-quality and automated/spam bug reports that come through their platforms. These services can be in the five-six figure range. It may be a good business, but that isn’t where our passion lies. Startups can’t afford these services and the burden of triaging low-quality bug reports can completely overwhelm even the best dev teams, leaving them worse off than they started. We think there is a better way: • We hand-pair startups with a small team of pre-vetted researchers who are subject matter experts in your stack. • Researchers test your infrastructure for vulnerabilities in an initial scan, and work closely with you to resolve issues and implement best practices. • Your program can be private, where only you and the researchers you approve will have access to your program. You don’t have to provide source code and all initial testing is done with only the information and access your normal users have. • We create your program for you and have you up and running in 5 minutes (or you can self-serve, if you prefer). • We only charge for results (when a researcher finds a vulnerability). We just started building a couple months ago and are looking for early feedback. Here’s an invite link we made for Product Hunt: https://www.federacy.com/ We’ll be around all day to chat and are very happy to answer any questions as well as discuss how we built our product, security-related topics (systems automation, vulnerability reporting, coping with imposter syndrome, etc.), what it's like building a startup with family (we’re twin brothers), or anything in between. Some specific questions we have: If you’re familiar with other bug bounty platforms, are there any issues we can tackle early on that made the experience frustrating for you? Would you consider contracting an outsourced CISO or a pentest with a security researcher that has reported vulnerabilities to you through your bug bounty program?
Sachin Agarwal@sachinag · Principal PM, LaunchDarkly
@williamsulinski I really appreciate you being thorough in how Federacy works, especially by calling out the differences between y'all and Bugcrowd/HackerOne up front so that folks can figure out if your offering makes sense for folks straight off the bat. The pairing, in particular, is super valuable. Hope you can scale that up; I see a lot of success in your future!
Jono Kolnik@kolnik · CTO @ Toybox
Yes! This is the first time my startup has a bug bounty program - I sleep much better these days :)
Davit Buniatyan@david_buniatyan · Co-founder at Snark AI
Sounds very cool! Could we specify what types of vulnerabilities we are looking for security researchers to concentrate on?
James SulinskiMaker@jsulinski · Founder, Federacy
@david_buniatyan Definitely! When you create a program, you can modify the template Vulnerability Disclosure Policy (which was released under the Creative Commons Attribution Share Alike 4.0 license here: https://github.com/federacy/vuln...). You might also define scopes (in and out), as well as known issues. This helps to prevent having to pay out for research for issues that you're already aware of and/or have been reported. It also helps to communicate to researchers where you want them to focus, and what the expected rewards are for various kinds of vulnerabilities and scopes.