Portfolio

About White Label Security

White Label Security (2010-2013) productized penetration testing and security assessments for the MSP channel. The thesis: most small IT shops couldn’t afford to hire pentesters, but their clients needed security services. WLS provided a turnkey platform (branding, scoping tools, report templates, and a network of vetted testers) so MSPs could resell security under their own name.

The company proved the model worked. MSPs bought it, their clients valued it, and the security talent showed up. WLS was, in hindsight, an unwitting prototype for Bugcrowd.

The Platform

• Turnkey pentest-as-a-service platform for MSP resale
• White-labeled reports, scoping questionnaires, and client portals
• Contractor network management and quality control systems
• PCI DSS and HIPAA compliance assessment workflows

The Bugcrowd Connection

WLS validated two things that became foundational to Bugcrowd: enterprises would pay for outsourced security testing, and skilled researchers existed in abundance but were poorly connected to opportunities. The difference was scale. WLS coordinated testers top-down; Bugcrowd let researchers self-select into programs. Same insight, different execution. The crowdsourced model unlocked global scale.

Bugcrowd launched the following year.

About Bugcrowd

The hacker community has always been full of people who think like criminals but have a core conviction not to cause harm. Ordinary individuals with extraordinary skills, and the world sees them as threats. Bugcrowd was built to bridge that disconnect: connecting those who can help with those who need help.

Attackers are creative, driven, and persistent. A small security team cannot defend against multiple diverse adversaries coming from all angles. Defenders need an army of allies. Bugcrowd provides one.

Today, over 100 crowdsourced security platforms operate globally. Bugcrowd created the industry.

The Platform

• The platform that created the bug bounty industry
• Global network of security researchers who self-select into programs
• Vulnerability disclosure programs adopted by Fortune 500s and governments
• Penetration testing at crowd scale
• Attack surface management powered by human intelligence

The Thesis

White Label Security proved enterprises would pay for outsourced security testing and that skilled researchers existed in abundance. The limitation was coordination. Managing contractors top-down didn’t scale.

Bugcrowd inverted the model. Instead of assigning testers to programs, researchers choose their targets. The crowd self-organizes around opportunity. Same insight as WLS, different execution, and the crowdsourced model unlocked global scale.

About disclose.io

Someone finds a security flaw in a system. They want to report it. What happens next?

For most of the internet’s history, the answer has been: nothing good. No standard way to report. No assurance the reporter won’t be sued. No clarity on what “responsible” even means. Laws like the CFAA presume researchers are criminals. The result: vulnerabilities go unreported, or get sold to the highest bidder.

disclose.io changes the norm. It is a vendor-agnostic, open-source framework that standardizes how organizations receive vulnerability reports and commits them to safe harbor for good-faith researchers.

Vulnerability disclosure should be as normal as having a security team. disclose.io makes it possible.

The Framework

• The dioterms safe harbor framework, now adopted globally
• Standardized VDP policy templates in multiple languages
• The security.txt standard (RFC 9116) for machine-readable security contacts
• Community database of organizations with published disclosure policies
• Policy guidance used by governments, Fortune 500s, and critical infrastructure
• Directory of over 100 crowdsourced security platforms worldwide

The Problem

The internet runs on software written by humans. Humans make mistakes. Vulnerabilities exist in every system. The question is whether they get found by someone who wants to help or someone who wants to exploit.

Most organizations have no idea how to receive a vulnerability report. Researchers have no way to know if reporting is safe. The norms don’t exist. disclose.io creates them.

For hackers, researchers, and anyone who stumbles across a security issue: a signal that says “we welcome your report, and we won’t sue you for helping.”

For organizations and vendors: a statement that says “we understand security is hard, we welcome feedback, we have the means to process it, and we’re mature enough to prove it.”

In the meantime, everyone else benefits from better security overall.