66. Turn Hackers Into Your Security Team - with Grant McCracken
Justin Shelley (00:00)
Welcome everybody to episode 66 of Unhacked. We're here to help business owners navigate the chaos. We were just talking about chaos, but we're talking about chaos of cyber threats, cybersecurity, bad guys, Russian spies, Russian hackers, ⁓ all that kind of stuff. With the hope of having all of us come out stronger, smarter, and more secure. And I will say for my part, having been doing this podcast for well over a year now, I know a whole lot more than I did when I started. Anybody else feel that way?
Mario Zaki (00:28)
I agree.
Bryan Lachapelle (00:28)
100%.
Justin Shelley (00:29)
Lordy, I used to think I knew stuff. And then we started interviewing people like Grant McCracken, who we have on here today. So let's do some introductions. I'm Justin Shelley, CEO of Phoenix IT Advisors. And in my company, we help people use technology to build wealth with their business and then protect that wealth from again, the Russian hackers. Mario will have something to say about that. The government fines and penalties and class action lawsuits because everything else isn't enough. Now we've got to worry about the attorneys and the court system. So it's ugly out there, guys. And we're here to help you navigate.
and fight back. Brian, tell everybody who you are, what you do and who you do it for.
Bryan Lachapelle (01:03)
Excellent. ⁓ Like Justin, ⁓ I also help business owners. My name is Brian Lashpell, CEO of B4 Networks. We're based in Niagara, Ontario, and we help business owners across Niagara and Simcoe ⁓ eliminate the frustrations that come with dealing with technology while keeping them secure. Our mission is very simple. We make IT a growth driver and not a roadblock.
Justin Shelley (01:24)
Ooh, I like it. Mario, what do you got for us?
Mario Zaki (01:27)
Mario Zaki, CEO of MassTech IT located in New Jersey. ⁓ Been around for about 21 years now. We help small to medium sized businesses stay safe online from those Russian hackers, the Chinese and all the other countries that Justin refused on touching. But we specialize in keeping business owners have the ability to sleep better at night, knowing that their companies are gonna be safe the next day when they come into work.
Justin Shelley (01:55)
Mario, you've been around for 21 years. I guess you're old enough to drink finally.
Mario Zaki (01:58)
I am. I just turned legal.
Justin Shelley (02:00)
Good to know. Good to know.
Bryan Lachapelle (02:01)
Amazing.
Justin Shelley (02:03)
I'm, I'm way, I'm almost twice your age. all right. And I called no bullshit earlier, but then here we just, can't shut it down today. I am thrilled to meet or to introduce our guest today, Grant McCracken. Grant is the founder of dark core security where he's making cybersecurity accessible and for an affordable for organizations of all sizes and budgets. that includes, you know, the little guys like us, ⁓
13 plus years in cybersecurity as an ethical hacker. And I hope we get to some of those stories. So Grant, thank you for being here and tell everybody a little bit about yourself, what you do and who you do it for.
Grant McCracken (02:43)
Sure. ⁓ So name's Grant. And first off, thank you for having me. ⁓ So like you said, right now, founder of Dark Horse Security, ⁓ you already kind of covered the main points. Our goal with Dark Horse Security is to make cybersecurity, ⁓ particularly proactive security. So like penetration testing, vulnerability disclosure programs, bug mounting programs, things of that nature, vulnerability assessments. ⁓
Justin Shelley (02:48)
You bet.
Grant McCracken (03:09)
⁓ making those ⁓ more accessible and more affordable for organizations of all sizes and budgets. used to be ⁓ the VP of ops at a company called Bug Crowd, where we ran bug bounties, pentests, stuff like that. ⁓ after I left that organization, was like, okay, like how could I kind of give back a little? ⁓ And the idea that sort of bubbled up ⁓ time and time again was that ⁓
making those same solutions a little bit more affordable because like, you know, they're pretty expensive if you use like, you know, one of the main vendors in the space, bug crowd hacker one, you know, so on and so forth. And so, ⁓ and I've, just seen the power of bug bounty and crowdsource security, time and time again, over my decade, I spent at that company. And so I wanted to make that accessible to, ⁓ as like you said, like the little guys, like SMBs that, could stand a benefit from it. But,
you know, it's currently they're currently priced out or it's too complex or too onerous or something to that effect. So I'll stop rambling. Hopefully that's helpful.
Mario Zaki (04:10)
Now, Grant, do you work directly with managed service providers or do you work directly with end users or a mixture of both?
Grant McCracken (04:17)
Yeah, so,
yeah, I'd love to work more with MSPs or MSSP's. ⁓ Right now, not currently doing that, but ⁓ would love to do that. Currently, it's just working directly with organizations. So they'll come to us and say, we want to run a bug bounty, or we want a pen test, or whatever it is, and we kind of help them from there.
Justin Shelley (04:39)
So Grant, I've got to, I've got to slow this down just a little bit because we are starting to get technical and nerdy and we have a habit of doing that, but we are talking to business owners who probably have no damn idea what a bug bounty is or a pen test. So let's just for a second, ⁓ get some definitions out of the way and talk a little bit about what that is.
Bryan Lachapelle (04:45)
Thank
Grant McCracken (04:45)
Sorry.
Sure. ⁓ Do one of you guys want to go or you want me to want me to swing at it? I don't want to bogart.
Justin Shelley (05:06)
You go, but you go,
Mario Zaki (05:06)
No, go ahead.
You're our guest. Because we have no idea what it is. ⁓
Justin Shelley (05:07)
you, you go and then we'll pick it apart. How's that sound? Yeah, exactly.
Grant McCracken (05:13)
Sure, yeah,
Bryan Lachapelle (05:13)
Yeah, but bug
Grant McCracken (05:14)
all right.
Bryan Lachapelle (05:14)
bounties for me is just you know paying somebody to get rid of the spiders and bugs in my house
Justin Shelley (05:19)
Yeah, same.
Grant McCracken (05:20)
Yeah, you're talking about your your you got some name for them. ⁓ Some ladybug, some Japanese Beatles. Mutant ladybugs, there we go. Yeah, so ⁓ what's a bug bounty? Right. So ⁓ so as an organization, you've potentially got a tax service. So you're a SAS B2B business or B2C business. So you have a web application or something to that effect. Or actually, we'll just use like Google or Facebook. Right. So you've got this giant attack surface out there.
Bryan Lachapelle (05:24)
Japanese beetles. Mutant ladybugs.
Grant McCracken (05:50)
And you potentially run pen tests. So ⁓ annually, quarterly, whatever cadence you potentially run a pen test on, usually done for compliance purposes or sometimes for risk reduction purposes. A pen test is short for penetration tests where ⁓ you have a qualified security engineer follow a prescribed methodology to identify security vulnerabilities against your specific scope. potentially you will just kind of use Google as the example here. You potentially have like
a pen tester go test Gmail and they test for different security vulnerabilities and so on and so forth. The problem with that is that it's point in time. So if you continually release new features, those features aren't necessarily tested at the time that they're released. Again, if you just do it once a year, there's a whole 11 months, their time box usually. So they're going to test for a week, two weeks, month, however long, they're still not going to test.
forever. You're limited by their set of experiences, their skill sets on us. Anyways, so you say, okay, I want to get a little more proactive with my security. Now, obviously, you should start with an assessment or a pen test or things like that. But then you say, okay, if anybody can find a vulnerability in my systems, I'll give them money. And that's a bug bounty. So you so then you define rewards and you say, okay, so if you're able to find a and you say, okay, like a critical vulnerability is
⁓ And I'm not trying to get too technical, but we'll say like code execution or SQL injection or something like that. Right. So like that's a critical vulnerability because you could potentially do a lot of really bad things with that. Then you say, you know, less critical vulnerabilities, this other thing and so on and so forth. And you have like, usually it's like P zero through five where like a P five is informational, a P three is like medium and P zero is like everything's on fire right now. And so you say, okay, based on these things.
If you submit a vulnerability that matches one of these ⁓ layers, we'll pay you a certain amount of money. So for instance, I believe if you, and the numbers vary, right? Depending on, you know, their team will look at it, but ⁓ I think you can earn quarter million dollars. saw somebody the other day made like a quarter million dollars for like a sandbox escape on Chrome, right? So like Google again has like giant.
attack surface, and if you're able to identify security vulnerabilities in different pieces of that attack surface, they'll pay you a certain amount of money for it. Same concept applies for ⁓ anybody launching a bug bounty. Say, for instance, again, P2B SaaS, you just say, OK, if you're able to identify, you probably have smaller rewards, and you say, if you're able to identify a security vulnerability, we'll pay you a certain amount of money. The advantages of this is, one, it's continuous. Two, ⁓ you only pay if somebody finds something. So you could set up a bug bounty.
And if nobody finds anything, you're not paying them any money. So you're only paying for results. So that's super cost efficient. ⁓ And then you get the, you get the benefit of like a bunch of different skillsets, ⁓ looking at your application and in different and unique ways. ⁓ And fundamentally, you know, I've, I've run probably in, I, this might sound ostentatious, but I've probably run and managed more bug bounty programs than anybody on the planet. And, and in general, almost every single program.
⁓ ends up providing significantly more value than if you just ran like a pen test. Now I'm not saying don't run a pen test, but like you almost always find something, ⁓ super unique and incredible. That's kind of ⁓ a function of using the crowd. And again, I'm going to stop talking shortly. ⁓ but like if you have a pen test with one person, you know, you're able to find a certain amount of vulnerabilities. Say you use five people, are you going to find more? Probably. So you use
50 people, you're probably going to find more 500 even more. Right. And that's the that's the power of bug bounties and what they what they bring to bear. So I will stop and hopefully that was useful.
Justin Shelley (09:46)
All I can think, Grant, is like week after week, we sit here, we talk about how we can get out of this category of the low hanging fruit. And we want the hackers to not know we're here and go away. And basically what you're saying is screw that paint the target right square on your back and then stand up on a, you know, on the, you know, over the freeway and show it like, come get me. Right. Is that what you roll out the red carpet and just say, Hey guys, come get me kind of.
Grant McCracken (10:12)
The reality is, a lot of people, especially legal teams, ⁓ tend to have aversion to this, right? Because they have exactly that. They're like, wait a minute, we want people to hack us. But the short answer is the bad guys are doing it anyways. you're not like the bad guys aren't like, they're running a bug bounty. I guess we'll go attack them now. Right. They're they're already like looking for those vulnerabilities actively and they're exploiting them. So all you're doing is leveling the playing field. So ⁓
Justin Shelley (10:26)
Right, right.
Bryan Lachapelle (10:26)
Great.
Justin Shelley (10:40)
Okay.
Grant McCracken (10:42)
And again, there's I'm also not saying that everybody needs to run a bug bounty because ⁓ it some organizations aren't ready for it, right? Because you will get a lot of attention. Your people are you and sometimes sometimes you got to handle that low hanging fruit first before you kind of go expose yourself to to everybody identify vulnerabilities, because sometimes there's just going to be a lot of noise. But when you get to the point where you as an organization are looking to.
Mario Zaki (10:57)
Thank
Grant McCracken (11:10)
reduce your risk in a meaningful way, especially in terms of like externally facing vulnerabilities. There's no more effective tool, at least in my view, and of course I'm biased, ⁓ there's no more effective tool than than bug bounties to just identify vulnerabilities at scale.
Justin Shelley (11:25)
Mario, Brian, thoughts.
Bryan Lachapelle (11:27)
Yeah, go ahead, Mario.
Mario Zaki (11:27)
Yeah, I go ahead, Brian.
So you said external vulnerabilities now are how does somebody like when when when they're bringing on a team like yours, do they just say do external or do they give you access to internal tools? And then how do they know that this is going to be then the information that they use or that?
The credentials used will then be disposed afterwards.
Grant McCracken (11:58)
Sure. ⁓ So to answer the first part of that, ⁓ is it internal or external? The vast majority of things are external, right? So again, you're going to have like you know, exposed web app or stuff like that. You do have cases where organizations sometimes will drop you onto an internal network. ⁓ They'll stick a, you know, or we'll stick like a VM on their device and then we'll allow.
you know, hackers to have access to it via like a VM or not a VN, a VPN or something to that effect. ⁓ in those cases, what we'll do, especially in like more sensitive context. so there are multiple ways to run a bug bounty. And I think that's also something worth being aware of is that you don't just have to run a bug bounty, ⁓ to the whole world. Come attack me, you know, come and get it. ⁓ you can also, by using a platform such as dark horse or
HackerOne or BugCrowd, you can have a much smaller, more targeted bug bounty program. So you can potentially invite five people, 10 people, 15 people. And when we do that, right, when somebody comes to me and they say, hey, I'd like to run a private bug bounty program. ⁓ And I want to make sure that ⁓ we're using people that we really trust because these credentials are super sensitive. They're going to have access to systems that are privileged or whatever. ⁓
we'll do is we'll use background checked testers that we have like a high degree of trust, right? So we have like a trust scoring system where, you know, there's people that you trust more because you work with them and ⁓ because you work with them more than other people. And obviously you can move up in that trust hierarchy. But ⁓ that's how we typically mitigate for situations for where we need to have an improved degree of trust. Does that answer that question?
Mario Zaki (13:47)
Yeah, yeah. Thank you.
Bryan Lachapelle (13:49)
Grant,
I'm curious to ask, the majority of us are dealing with small, medium-sized businesses, anywhere from 10, 100 employees. What would be a type of business that would want to have a bug bounty in those cases, right? Small, medium-sized businesses, maybe they don't have a SaaS application that is developed and they're exposing the internet, but maybe they have something else. Do you have clients that are small, medium-sized businesses that sort of have something exposed?
to the public that they want to bug bounty on, but that isn't your traditional SAS application, like an ERP or something like that.
Grant McCracken (14:29)
Yeah, sure. there's no right. So when I think the first part of the question was when is it like potentially a good time or like what would be the kind of the use case? The use case in my mind is if you want to reduce your risk. Right. ⁓ when you get so and again, it's the number of organizations or the size of the organization varies a lot. Like sometimes you have really forward thinking like
five person organizations and they're like, we're going to run a bug bounty. And then you have hundreds of people at an organization and they're nowhere close to the same security maturity. ⁓ it really varies, ⁓ you get, you get, or we get organizations that are fairly small that, that may not have as much attack surface, but they just say, we want to know what's out there. So we say, okay, anything that belongs to our organization, if you can find it on the internet, if you can,
prove that it belongs to us and you're able to find a security vulnerability, ⁓ we want to know about that. And so you can run a bug bounty on literally anything. For instance, ⁓ there have been companies that have run bug bounties on LLMs. And again, you can construct this in any way that you want. For instance, ⁓ say you want to identify bias in an LLM, you could run a bug bounty on that.
So it's not necessarily like a SaaS application or anything like that. It's an LLM that you're throwing different things at to identify bias. ⁓ And then you report that. Go ahead.
Justin Shelley (16:05)
I'm going to pause you again and let's do some definitions.
So I think by now everybody knows what AI is. Maybe they know LLM. ⁓ Maybe not, but just in case. LLM means what?
Grant McCracken (16:09)
Yes, sir.
Large language model. ⁓
Justin Shelley (16:17)
Okay, so
it's the engine behind the AI that we're all talking about. right. ⁓ Yeah. Attack surface. You've mentioned attack surface several times. I'm going to punt this one to Mario because you look too comfortable and quiet. Mario, what is an attack surface?
Bryan Lachapelle (16:20)
chat, GPT, things like that.
Grant McCracken (16:21)
Yep.
Yep.
Mario Zaki (16:28)
Hmm.
It is the front end of the platform that the end user will see that the outside world can see. Is that right?
Justin Shelley (16:43)
Okay, I don't
know, Brian, what do you think about that definition? You got anything to add to that?
Bryan Lachapelle (16:48)
I mean, it's like from a very short and sweet. Yep, that's pretty much it. It's anything that the public has access to that you are exposing your internal systems and or, for example, a website is an attack service, right? Anything that's on a website is by definition an attack service because it's publicly exposed to everybody out there. If you have a VPN, the VPN connection itself could be an attack service, even though they're not yet in there, they can potentially get in via a VPN if people notice there.
For example, in the past, you used to go to remote.yourdomainname.com and ⁓ small business server would allow you to remote in that way, that would have been an attack surface, right? So anything that the public can gain access to, regardless of how they gain access to it is considered an attack surface.
Justin Shelley (17:31)
Okay. Anywhere the bad guys can get in, right? The more complex your system is, probably the more attack surfaces you have. you know, if I'm a handyman and I don't even have a website and I just go out and I build decks for people, I probably don't have much of an attack surface. ⁓
Bryan Lachapelle (17:46)
I'll give you another
example of an attack surface. Your Wi-Fi in your office is an attack surface. It's publicly exposed. Right? You walk inside somebody's building, you see their Wi-Fi connection, you can try to hack it. That is a publicly exposed attack surface.
Justin Shelley (17:50)
Yeah, yeah, yeah, yeah.
All right. Okay. All right.
Grant McCracken (18:00)
And a
really fun addition to attack service, to, ⁓ just because I was doing stuff with the NIST cybersecurity framework earlier, your supply chain is part of your attack surface. That is a monster piece that like a lot of people forget about. like, yeah, sorry, I'll just put that out there.
Justin Shelley (18:13)
Correct.
Bryan Lachapelle (18:18)
100%.
Justin Shelley (18:20)
which
we don't have a ton of control over some, that's a whole different episode we need to get into. ⁓ Okay, so you mentioned frameworks. want to talk about NIST in particular. Is this something that falls under NIST, bug bounties?
Grant McCracken (18:40)
Good question. ⁓ Not explicitly. believe in the NIST cybersecurity framework, you've got the identify and protect categories. ⁓ Technically in there, it's identify security vulnerabilities. ⁓ So this could meet one of those. There is something else that we do called the vulnerability disclosure program that is expressly part of the NIST.
Justin Shelley (18:52)
Right.
Grant McCracken (19:07)
CSF that talks about, and again, when I say CSF, I'm talking about cybersecurity framework ⁓ and NIST being the National Institute of Standards and Technology. ⁓ There is a point in there that says you need to have a way to receive vulnerability reports. ⁓ And so that's what a vulnerability disclosure program is for. ⁓ And a vulnerability disclosure program can be as simple as ⁓ like ⁓
If you found a vulnerability, email security at our company. ⁓ But we also make it easier for organizations to do that via platform. ⁓ long story short, it can satisfy some of the CSF requirements, ⁓ but it's not expressly part of it. Does that make sense?
Justin Shelley (19:52)
So if you're going minimal
compliance, you're probably not doing this, if you're, if what I'm, if you're just checking boxes, probably this isn't where you're going. But if you really want to be safe and know what's out there and know, know your blind spots, right? That's, that's really what this is about is knowing your blind spots. Correct. Brian.
Grant McCracken (20:10)
Yeah, yeah, I mean, it's, it's, go ahead.
Bryan Lachapelle (20:10)
I was
going to ask a question, and you can answer the one you have now first if you so choose. We have a lot of small businesses, I talked about that before. ⁓ How does a business know that they would need a bug bounty? What kind of software, kind of ⁓ exposure, what kind of a tax service the average doctor, lawyer, accountant, ⁓ manufacturer would run into that
they could self-identify and say, you know, maybe I need a bug bounty. Maybe I need to do this.
Grant McCracken (20:46)
Yeah, so to answer that question.
There's. That's a that's a good question, like where where's that line? I'm not totally sure. I think it's going to it's going to vary ⁓ because again, ostensibly, you could you could have a bug bounty program no matter how small you are. You could run a bug bounty program on yourself, right? You could be like, hey, are you able to like hack my personal emails or something like that? Right. So like you could get super small with with your scope. ⁓
Realistically, if I was to put, if I was to put like a line, I'd say at the point where you have your own in-house built sort of, whether it be like an application or something to that effect, if you're just using like off the shelf software, generally that stuff, well, first off, like if there's a vulnerability in Salesforce, that's not really, I mean, it is your problem if it gets exploited, but like, that's not yours to fix. Now there's all exactly.
Justin Shelley (21:49)
Nothing you can do about it.
Grant McCracken (21:51)
But there also is configuration issues. ⁓ We see all the time people misconfigure S3 buckets or stuff like that. ⁓ So there are definitely ways that you could set up infrastructure and these off-the-shelf solutions in ways that are vulnerable. But my general benchmark for organizations would be if you have something that's custom built, ⁓ that would
that's externally facing, you probably want to run a bug bounty on that to try to make sure that you're doing maximum risk reduction.
Mario Zaki (22:29)
And does that include like brute force attacks? ⁓ You know, trying to crack passwords and stuff like that?
Grant McCracken (22:36)
It can. ⁓ So when you set up a bug bounty, you're able to define the scope. So or the what you want people to test, for instance, things like DDoS are usually going to be out of scope, right? Because, you know, that's that's not really, you know. I don't know, it's not really something I mean, you can like kind of fix it, but if you're a small organization, you're not super concerned about like DDoS vulnerabilities and at a large enough scale, right? With a billion, you know,
Different devices attack you at the same time. You're to go down one way or the other, right? Exactly. So, so, ⁓ that's one, you probably don't want attackers, you know, and again, sometimes this is part of the scope, but you generally don't want people doing cred stuffing attacks or stuff like that, because you'll usually have some sort of lockout mechanism. It can be very noisy, for your users.
Justin Shelley (23:09)
There's nothing you can do about it, yeah.
Grant McCracken (23:33)
So if ⁓ they're trying to gain access and then they get locked out after five attempts, then you're screwing everybody downstream. You generally don't want people to mess with your contact form. You want them to limit their automation. You generally want them to test with some kind of rate limiting, things like that. So you can set up parameters by which ⁓ to make the testing less invasive, if that makes sense. And you also...
Bryan Lachapelle (23:42)
you
Justin Shelley (23:59)
Do your guys ever find,
Bryan Lachapelle (23:59)
What are some of the comp-
Justin Shelley (24:00)
do you ever find honey pots?
Grant McCracken (24:03)
Ooh, I'm not sure.
Short answer, yes. Right. ⁓ So if in order to but like it's not super often that like organizations actually set up honey pots, at least within like this context. Right. You have to be a pretty mature security organization to be like, yeah. And then we're to set up some fake stuff. ⁓ So it's absolutely possible. ⁓ Sometimes they'll disclose that in advance. They'll be like, hey, you know, if you get to this certain
Justin Shelley (24:09)
Yeah, okay, okay.
Right.
Grant McCracken (24:35)
you know, if you're getting this response from this endpoint, you know, like disregard, because one of the things that happens over the course of running a bug bounty program is that you, you it's, it's a very iterative process, right? Where you, don't, cause if what would happen is, is if there's a relatively easy to find honeypot and everybody finds that same honeypot and then they're all hitting it and then everybody thinks it's a valid issue. And so they submit a report and so you have to process all those reports. And so you don't, you paradoxically, you
Justin Shelley (25:03)
Right, that's true.
Grant McCracken (25:05)
don't really want like hundreds of reports over the exact same thing time and time again. it, it
Mario Zaki (25:11)
and you're probably gonna pay them
for funding the honey pop.
Grant McCracken (25:16)
Well, and that becomes a whole different conversation because on average organizations are like, we don't want to pay for that because it's not an actual vulnerability. And so then you have to have like a nuanced conversation with the hackers or researchers, however you want to refer to them to be like, Hey, this is actually something we put out there and sorry, we'll notate it on the program summary to make sure that nobody submits it in the future. Here's like,
Here's $20 as like, we're sorry or something like that. So there's a lot of different ways that can potentially play out.
Justin Shelley (25:47)
Okay. You brought up numbers.
Let, let's go pricing. So I'm, I'm a small business. I'm let's, let's say I'm a, and actually I'm, I'm running an assessment for a company. So I'm going to use them. I'll redact all their information, but they, they fall under CMMC. So, or NIST 171, whatever you want to call it, right. Just did their full assessment. What a company of 15 employees. And let's just say they want to go proactive and they want to set this up in that situation.
Grant McCracken (25:52)
no.
Justin Shelley (26:16)
What kind of a program should they set up and what would it cost?
Grant McCracken (26:20)
Um, so I'm going to be a little biased here, right? So with Dark Horse, um, we're, we're trying to democratize access to these solutions. So if you, if they wanted to set up a bug bounty today, they could do it for free on Dark Horse. So on Dark Horse, what we have is a model where we don't charge for the first 25 reports. And then we charge per report after that. And it's a fairly small number. It's like $9 a report or something to that effect.
So ⁓ same goes for vulnerability disclosure programs where it's free to set it up and we don't start charging till you get beyond 25. So ⁓ you could set it up today and be off to the races. ⁓ Now where you're potentially going to end up paying money even before those 25 are up is on the rewards. So you set up your rewards and you say, okay, so I'm going to pay. And if you're a small organization, right? So it's going to vary, but I
our general strategy is like crawl, walk, run. So we say, okay, let's start with small numbers. We don't know what we don't know. So, ⁓ and we have a P zero through P five sort of methodology. ⁓ so we say, okay, so for, for, won't pay for P fives and for P fours, we'll give like a very small amount of number, a small amount of dollars, right? We'll give like $50 and then we'll give like 150 for a P four anyway.
All the way up to, we'll say like 500 for a P1. Now again, this is very small. These are very small numbers. Again, if you're a larger organization, more robust security posture, you're going to be paying a lot more in rewards. Again, you see stuff as high as a quarter million for, for, know, critical vulnerabilities that are very complex. But, so yeah, you'd, you'd probably, that would be the main source of costs, at least initially for a smaller organization. Now, once you get beyond those 25,
Say you get a hundred reports over a year, $9 a report, you're looking at $900 in platform fees and then whatever you're paying your rewards. then we do have to take like a small percentage of the rewards to be able to pay for, we do OFAC checks, make sure you're not paying like people in North Korea or Iran or Sudan, stuff like that. And then currency conversion, again, also cost money and so on and so forth. So that's the short of it. Did that answer your question?
Justin Shelley (28:43)
Yeah, no, mean, you said it's affordable, it's within reach of small businesses, and I just wanted to make sure that was true. you know, I, yeah, I definitely see that as a possibility. Brian and Mario, you're, ⁓ Mario, you look like you have a burning question over there.
Bryan Lachapelle (28:51)
you
Mario Zaki (28:58)
No, no, no, I'm just taking notes.
Justin Shelley (28:59)
all right,
all right. ⁓
Grant McCracken (29:02)
And just for
reference, right, it's significantly more expensive through other solutions. Just so we're clear, right? Again, the average contract value at according to vendor.com for like Hacker One or Buckroud is like 40 ish thousand dollars, but you can have six figure contracts, know, slightly smaller contracts, stuff like that.
Bryan Lachapelle (29:08)
Yeah.
Justin Shelley (29:21)
So how can you do this so much cheaper?
Grant McCracken (29:27)
Well, one, I'm not making any money off of it. So I guess that's probably the first thing I care about. I care about this. These again, I think that these are really novel solutions that I think everybody should have access to. So that's the that's the first thing ⁓ to its software. So it just scales infinitely. It doesn't really cost a ton of money to, you know, ⁓
keep running. It's just a platform that receives vulnerabilities. They process the vulnerabilities. They pay the vulnerabilities. Again, all those costs are kind of self-contained. ⁓ I don't have a board or investors to satisfy. ⁓ that's, again, just what I've built for the reasons I built it. I think that generally covers it. With pen testing, it's a little bit different. ⁓ We do have some margin there, but with bug bounties and vuln disclosure programs, we're not
really trying to make a bunch of money.
Justin Shelley (30:25)
So you're making your money somewhere else because you're not a philanthropist.
Grant McCracken (30:29)
⁓ I don't know if I'm making any money.
Justin Shelley (30:31)
Or are you? Maybe you are. You're independently wealthy and
okay, okay. You at least have enough money to buy a computer so you could be here today. Putting you on the spot a little bit.
Grant McCracken (30:36)
I were yeah, I'm not yeah
Yeah, we're not making a bunch of money
off this. ⁓ Yeah, pen testing, pen testing we make, we have margin. And so that's where we kind of make our bread and butter. I don't know if that's the right term where we make our bread and butter. We don't make bread and butter, but like that's our bread and butter as far as like where revenue comes from. And ⁓ yeah, for lack of better term, the bug bounty and VDP side of the house is ⁓ philanthropic for lack of better term.
Justin Shelley (31:04)
Right.
Okay. Hey,
fair enough. Fair enough. Listen, I've got my passionate projects as well that I don't make money on. So, ⁓ okay. Good stuff. ⁓ I mean, listen, I, when you and I first talked, ⁓ I'm not going to say I didn't know what a bug bounty was. I do, you know, these have been, this is not a new concept. They've been around for a while, but I will tell you, it wasn't really on my radar. It's not like I, and this is why I quizzed you before. Cause it's not specifically laid out in any of the frameworks. ⁓ maybe not, maybe it's somewhere, you know, but
Like I said, I just went through 110 questions on CMMC level two. It's not in there. ⁓ unless you want to, interpret like you, like you said, so it, this is a, it's a really interesting subject for me because my number one goal in the world of security is to know my blind spots. And by definition, we don't. So we constantly have to be looking for them and shining that flashlight in places where we don't think we're going to find stuff. ⁓
So that said, my burning question is when you go out and you offer the reward and somebody else is doing this, what's the most outrageous thing you found or what's the most common thing you find ⁓ or your ⁓ hackers find? Cause I will call them hackers. I love that term. It's the title of our show. What's out there? What are these blind spots that we don't really think about until somebody comes in and shows them to us?
Grant McCracken (32:41)
it's not, it's not directly on the nose, but I'll, I'll, I'll run with this. ⁓ the, the, the story that first comes to mind here is, was working with a bank and, and, ⁓ they wanted a bug bounty and, know, cause somebody heard this was like an interesting thing to do. And so they, they come in and they, they, they set up a bug bounty and, ⁓ and, but they're, they're just like, we just want to test like.
are crown jewels, right? What's super important. And so we they end up setting the scope up as like this login form ⁓ that ⁓ to like their main banking site, right? So like if you think about a bank and like you just go to the login form, right? That's probably going to be pretty secure. Like it'd be very surprising to have SQL injection on that login form or some vulnerability where you're able to like break their authentication or something to that effect. So ⁓ they were pretty
Justin Shelley (33:35)
I mean, we hope it's secure.
Grant McCracken (33:39)
Yeah, right. So I mean, would the number of times I've seen the number of times I've seen like tick and one equals one, you know, work for for, you know, SQL injection on on on different forms is actually terrifying. But anyways, but they were insistent on just testing this one thing and and
Justin Shelley (33:57)
Yeah.
Grant McCracken (34:08)
And I was like, okay, well, like, this is going to be super secure. Like, you know, I think you've got a lot of attack surface that's like outside of this. You know, I think we should be focusing there. And the analogy you always give is like, if you if you have like a vault for a front door for your house, right? Somebody's, you know, sure, nobody's getting in that front door, but like, they're just going to go around the back and come in the doggy door, or they're going to come in through the window that you left open or something else. Right. Like you have a bunch of.
Justin Shelley (34:31)
I think they dig a tunnel underneath
the vault and then they blow a hole through the bottom, at least in most of the movies.
Bryan Lachapelle (34:35)
Yes.
Grant McCracken (34:36)
Yeah. Yeah, there's a lot of different ways to skin the proverbial cat. ⁓ While you're skinning cats, I don't know, but like, ⁓ sorry, but.
Bryan Lachapelle (34:39)
Yeah.
Justin Shelley (34:45)
They're tasty. Whoops. I better edit that out
Grant McCracken (34:52)
So there's a...
Justin Shelley (34:53)
Too soon, too soon.
Grant McCracken (34:57)
So there's all this other extra attached. So like, but you know, so they go, you know, months, no vulnerabilities. ⁓ And, and just have to keep repeating this message to them. Eventually I get them to go to like a wild card, which is like a star dot domain dot com. Right. So like anything. So it's not even saying like anything that belongs to this company is in scope. It's just like, just this, just any sub domain of like the main domain for this organization. And, ⁓
Mario Zaki (34:57)
Thanks
Grant McCracken (35:26)
And overnight, they got blown out of the water, just tons of critical vulnerabilities. And it was, I mean, eye opening for them, but it's just stuck in my memory is like, yeah, like I told you so. And of course, you know, they they burned through, you know, like six figures of rewards and then some just again overnight by by expanding that aperture. And so a lot of organizations, I think the. ⁓
coming around to answering the original question, which was like, what are people missing? And it's that exposure, right? If you have a very myopic lens on what you're kind of securing, ⁓ you're potentially leaving a lot ⁓ exposed. And so I think that's one of the things that Bug Bounty does extremely well, because pen tests have to be scoped, right? You have to scope your pen test to, otherwise, you it's just gonna be this, I mean, you can have like unscoped pen tests, but there's just gonna be this wide ranging sort of situation and...
Justin Shelley (35:58)
Yeah.
Grant McCracken (36:22)
It's not necessarily going to be super useful for like compliance and stuff like that. ⁓ Usually it's a little more tightly scoped for that sort of stuff. anyways, ⁓ long story short, Bounty is extremely good at finding things that like you wouldn't have thought about. ⁓ And so that's kind of my story there. I don't know if that answers your question now that I've rambled way too long.
Justin Shelley (36:43)
Yeah. Nope. That
that's perfect. ⁓ like I said, this is, this has thrown a new thing onto my radar. That's what I love about, ⁓ being on this show every week. And you know, there's, there's a never a lack of opportunity to try to up our game in the world of cybersecurity. So, ⁓ we're to go ahead and wrap up this week, Brian Mario. need your final thoughts though. Key takeaways, ⁓ lessons learned. What would you like people to know if they only heard this part of the show, Mario, you go first.
Mario Zaki (37:14)
So I think once you've reached a certain level of maturity in your cybersecurity or your development, you need to bring in somebody to try to break what you've done. And they're doing it with help in mind. And like what we saying ⁓ before we started recording is that it's going to happen no matter what. You might as well do it in a controlled environment.
Justin Shelley (37:42)
right. OK, Brian.
Bryan Lachapelle (37:47)
For me, I always like to bring everything back to a journey, And so, ⁓ Mario is spot on. You're going to start your journey by plugging the holes that you know of, plugging, going through different security best practices. And once you've implemented all the things you think are best practices, the things that are in the CIS controls and in the NIST controls, and you've put everything in place, at that point there, why not open it up to the ethical hackers out there to see if
if you have a vulnerability you don't know about. And for small businesses, where this would apply would be if you have any exposed web application. For example, if you're an accountant and you offer people a web login portal where they can submit their documentation and submit their records, right? That might be an attack surface that you would want somebody to test through a ⁓ bounty program like this. So any application, web application that you expose to the internet,
If you're a small business, go through your due diligence, go through the journey. And then once you feel like you're in a position where you've done everything you can, why not? If you've got nothing, you will pay next to nothing. But if you have something, at least you know about it.
Justin Shelley (39:00)
those blind spots. All right. Grant, thank you so much for being here. Really appreciate it. If somebody listening today decides they do in fact want to run a bug bounty, where do they find you? ⁓ what? Yeah, just, just give your contact information. How do want people to reach out?
Grant McCracken (39:17)
Sure. Yeah. So my home address is, I'm joking. It's probably, it's probably out there. Yeah. So, ⁓ name is Grant McCracken. Obviously you can find me on LinkedIn. That's one of the easiest ways to find me. So if you type like Grant McCracken, Dark Horse, ⁓ you'll probably find me or Grant McCracken security. You'll find me. ⁓ If you connect maybe
Justin Shelley (39:20)
listen, we already know that. We looked that up before we got on here.
Bryan Lachapelle (39:24)
We docked two ages ago.
Grant McCracken (39:45)
mention something about the podcast or something to that effect because there's a bunch of connection requests from people that I don't know that I don't take. So ⁓ or yeah. And then ⁓ you'd also reach out to grant at darkhorse.sh and then obviously our website is darkhorse.sh. You can go through any of the contact channels there, but any one of those will eventually route you to Dark Horse.
Justin Shelley (39:53)
trying to sell you something or hack you.
Grant McCracken (40:14)
probably me at some point. ⁓ yeah, hopefully that works.
Justin Shelley (40:18)
Perfect, and...
Mario Zaki (40:18)
Awesome last name by the way, I love that last name, okay? It's
like McLovin, you know, what is that, from American, not American pie, it's... Super bad, yeah. Yeah, I love that.
Grant McCracken (40:21)
Thank you.
⁓ super bad.
Bryan Lachapelle (40:29)
super bad.
Grant McCracken (40:31)
Yeah.
Justin Shelley (40:33)
I'm not familiar with
Grant McCracken (40:33)
Thank you.
Justin Shelley (40:34)
that reference. All right. Well, guys, as always, I'm not saying I haven't. don't know if I have or not. It doesn't sound familiar. And I don't I don't want to talk about this. Last week, I got embarrassed about D &D. And what else was it that I don't I don't participate in? Listen, I grew up super religious thinking that all this stuff was bad. I wasn't allowed. I was not exposed to much of this stuff. D &D was the devil. I couldn't do it. And was this movie rated R?
Mario Zaki (40:37)
You've never seen superbad?
Justin Shelley (41:01)
Like if we're going to go there, if you're going to press me, I can't watch R rated movies. Mario, I was Mormon. ⁓ so I, I dunno, I missed on a lot. I missed a lot of stuff. So thank you for bringing up past drama. ⁓ anyways, guys, we're, we're going to wrap up, but if you're listening to this on your phone, ⁓ just go to the long description on Spotify or Apple podcast or whatever, and you'll see all the links. You can go to darkhorse.sh. You can find Brian's.
Grant McCracken (41:02)
absolutely.
Mario Zaki (41:07)
I don't know, it's at least PG-13.
Grant McCracken (41:10)
I'm pretty sure that was R.
Mario Zaki (41:16)
Yeah
Justin Shelley (41:30)
beautiful face and his link and his company and Mario's as well. And then if you'd rather just type in a website, go to unhackmybusiness.com. There's the official debut of our new website for the show. ⁓ Unhackmybusiness.com will have all the episodes, the show notes, the contact information and all that stuff. So guys, thank you for being here. Really appreciate it. Mario, Brian, Grant, really thank you for being here guys. We will see you next week. Take care.
Mario Zaki (41:54)
Take care, guys.
Bryan Lachapelle (41:55)
Take care.
Grant McCracken (41:55)
Thanks for having
me.
Creators and Guests


