General Catalyst is leading the investment, with participation from previous sponsors Rally Ventures and Costanoa Ventures.
Bugcrowd has raised over $180 million to date and, while the valuation is not being disclosed, CEO Dave Gerry said in an interview that it is “significantly” increasing in their last round in 2020, a $30 million Series D. One of the startup’s biggest competitors, HackerOne, was last valued at $829 million in 2022 according to PitchBook data.
The plan will be to use the funding to expand operations in the US and beyond, including potentially mergers and acquisitions, and to build more features on its platform, which – in addition to bug bounty programs – also offers services including penetration testing and surface attack management, as well as training hackers to increase their skills.
This functionality is both technical and human in nature.
Gerry, jokingly, describes Bugcrowd’s premise as “a dating service for people who break computers,” but in more formal terms, it is built around a two-sided security marketplace: the Bugcrowd crowdsourced coders, who sign up to join the platform demonstrating their skills. Programmers can be hackers who only work on freelance projects or people who work elsewhere and manage extra freelance work in their spare time. Bugcrowd then matches these programmers, based on these specific skills, with ongoing rewards programs between clients. These clients, however, range from other technology companies to any company or organization whose operations rely on technology to operate.
In doing all of this, Bugcrowd has tapped into some important trends in the technology industry.
Organizations continue to build more technology to operate, which means more applications, automations, integrations and much more data are being transferred from clouds to local servers, from internal users to clients and so on. All of this means more opportunities for code errors or bugs – places where an integration can create a security vulnerability, for example; or simply result in a part of the coding that no longer works as it should – and in a greater need for comprehensive work to identify these gaps.
In recent years, we have seen a profusion of new security tools, powered by AI, that aim to identify and remedy these gaps in a more comprehensive and automated way. But that has not yet replaced the role of human hackers. These hackers can work in a more manual way or can use automation tools to assist them in their bug hunting efforts, but they still have a critical role to play in how this technology can be directed. As the popularity of computer science continues to grow as a discipline, this produces an increasingly larger number of intelligent and technical people in the world who enjoy taking on this challenge, if not for the intellectual pursuit for the financial one. The most successful bug bounty hunters can make millions of dollars.
Gerry said the startup has been growing over 40% annually and is approaching $100 million in annual revenue.
The startup is now mainly headquartered in San Francisco, having been originally founded in Australia by Casey Ellis, Chris Raethke, and Sergei Belokamen (Ellis is still with the company as a director of strategy). It now has “well over” 500,000 hackers and is adding about 50,000 hackers annually to that number, Gerry said, and now has about 1,000 customers after adding 200 customers in the last year.
“Costanoa saw Bugcrowd grow from an innovative concept to early adopters to be a force multiplier for Fortune 500 companies today,” said Jim Wilson, a partner at Costanoa Ventures, in a statement. “Bugcrowd’s leadership team brings together experienced experts with deep knowledge of cybersecurity trends and a proven ability to navigate the complexities of the industry. This next stage of growth under Dave’s leadership will allow them to expand their product offerings to help security executives get even more value from the public. We are excited to continue our partnership with the team to seize the significant opportunities we have ahead.”