With an increasing number of systems and an ever greater reliance on IT systems, cyber security has become a major challenge for many companies. Several Dutch startups are working on solutions to tackle this challenge, including Zerocopter. This new company with an experienced team is creating a complete end-to-end security platform, combining security research, automated scanners and hacking services companies need to ensure they are secure. We interviewed founder Junior Meijering.
What does Zerocopter do exactly?
Zerocopter is a continuous, crowd-sourced security platform, from which companies that want to test and strengthen their security can get the security services they need. We launched Zerocopter in the second half of 2015 as a spinoff of Insite Security – an established security firm where companies can hire experienced staff for security testing and advice. With Zerocopter we aim to provide the same level of service in a more scalable, productized fashion using a matchmaking platform for companies and security expertise.
One of the most successful Dutch startups is Hackerone (one of the companies receiving most funding in 2015). They are the leading bug-bounty platform where ethical hackers get rewards for trying to break into companies. Is this similar to what you are trying to do?
Hackerone is certainly a great example of how to manage a bug bounty program and it is really great to see that they are internationally successful. They are however focused primarily on one aspect of improving your security, bug bounties. Bug bounties are specific programs where companies can invite the public to hack their system, and reward them if they find a vulnerability. Our approach is a complete solution, focusing on all aspects of security instead.
So what does your service look like?
We offer different levels of services for different levels of company security maturity, to help elevate their security step by step.
At the first level, we offer scanning services that find the most common vulnerabilities for you. We run the scanners once so that other security researchers do not have to do multiple high-volume expensive scans later. Companies can decide to start with scanning only just to make sure the basics are covered.
Secondly, we enable our customers to manage a responsible disclosure program. Responsible disclosure means that you provide a way for users to report security findings if they find them. Such a program is needed because without a responsible disclosure policy, security testing is illegal (this is called “computervredebreuk” in Dutch) and anyone will be very hesitant to share information. Even companies that do not want to run a bug bounty program, need a responsible disclosure program. We offer to manage this program: we do an initial check to show the relevant reports and we group similar reports. This makes responsible disclosure a lot more efficient for company security officers.
Once companies feel confident that the obvious and easy to hack security holes have been plugged, we offer them a managed bug bounty program. We have a pool of high skilled, selected security researchers, and we manage the amount spent on rewards to make the costs and availability predictable for companies and security researchers. This approach professionalizes the entire bug bounty process and ensures a high quality of vulnerability reports.
All of these programmes can run on a continuous or near-continuous basis, to make sure that security is repeatedly being tested, and that any new information that comes up will also be made known to the company in a timely manner. Once a security vulnerability has been found, organizations and security researchers can collaborate inside of Zerocopter and work together to fix the security vulnerabilities.
When and how did you start?
We started in 2014, with the idea of productizing security research. We used lean startup so we talked to a lot of corporates as potential customers, as well as security researchers to see how our platform would be appealing for them as well. In the summer of 2015 we had our initial service idea. To launch this service we needed a management platform and we also needed to get a few experts on board. We started looking for an investor and luckily we found Investion who invested and came aboard as an advisor. My former employer, Insite Security, also acts as an investor and is in the board. We launched our website and started experimenting with a select group of pilot clients.
How did the service evolve in the past months?
The biggest change is that we split our combined service into different components. IT security is a large area and all organisations have many different needs because they are at different stages. For now we have split our one complete solution into three different services so we can fit the needs of our clients better and expand into additional services in the future.
You opened up an office at B.Amsterdam (the new center opened last year, home of Startupbootcamp). What is your experience at B. Amsterdam?
We really like the stimulating environment. We are planning to grow quite a bit, so we wanted a large office space. Also, as a security company, it is better and more secure to have a closed office and not just public flex-desks. We rented a big space, together with Insite Security. For Zerocopter, it is very helpful to be closer to other researchers and investors.
Bug Bounty Programs, the Way to Turn Black Hats Into Ethical Hackers: Interview with Zerocopter’s Edwin van Andel
Written by Zerocopter
March 23, 2016
Share this blog: