I'm co-founder of CrowdCurity, a Danish startup that offers Crowdsourced security test to companies with web applications. The idea in short, is that businesses via our platform invites security testers from all over the world to test their website, if they identify a vulnerability the business pays a reward – if no vulnerabilities are found no reward are paid and there are no costs for the business.
On our website www.crowdcurity.com you can see the platform and learn more about the concept.
We have already had some programs running and we are very impressed about what the security testers can find and our customers are very happy and all say they have gotten a lot of value from it.
A few years back, a blog written by hackers emerged on the Romanian market. Back then, I was working as a web developer for the biggest jobs site on our market (>3M revenue).
One morning, we got an email from the guy who started the hacker blog. It was a simple SQL injection that revealed a lot of sensitive data like user emails and contact data. We were instructed to fix this in 24 hours or he would go public and expose our error to the public. Nice guy, he gave us the benefit of the doubt. If we were a serious business, interested in the security of our users' data, we'd jump and fix things. If not, we deserved to be exposed.
We spent the entire day going through every single script on the site and tried to secure everything we could think of. The coding had been done years before by a different team and we found a lot of security holes.
The second day I went to my boss and told him the only way we're going to get them all is to hire the hackers to mess us up as badly as they could.
It was a win-win for everybody.
So, what I'd suggest is this:
1. Don't target startups. They have so many on their plate and so little resources, a small-to-medium security flaw won't be a huge priority. Making payday and turning a profit is top on their list.
2.Target companies with a lot to lose due to security. Go for the big guys.
3. Find one error, report it to the highest management level you can find contact details for, explain the risks and pitch your service.
I'm currently running a SaaS where data security matters. We already did a crowdsourced vulnerability test and it was a pain to set up. I'm really happy to have found out about you guys!
If you'd like to brainstorm a few more sales ideas, let me know, give me a few days to do some research and book a call.
Either way, let's keep in touch!
Matt
I like the idea and think - executed correctly - it could be big. BUT, I think the approach you take has got to be very careful otherwise you create a brand impression that makes you far less attractive to potential customers.
No one wants to admit that there is even a potential for security breaches in their site so despite the significant value your service potentially provides, there are a lot of hurdles to a sale here.
I would caution against approaching companies with a flaw discovered as a selling point. It had potential to create the wrong perception and it would involve cost to your community without guaranteed payout.
I would also consider broadening the service to in-depth technical testing. UserTest (IMO) doesn't deliver on real QA needs so making security vulnerabilities part of the service might be better for everyone.
I'm sure in a call for 30 minutes or less, I could give you some very specific tactical advice that would increase your initial success.
Either way, best of luck!
Target Marketing combined with short and to the point. First, know your market. Only approach those who KNOW could benefit from your service. Make the calls short and on point. When cold calling, I know my audience and I only ask for 11 minutes of their time. I can present my product in under 6 minutes leaving them enough time to answer questions. The key of the initial call is to get the appointment, NOT make the sale! Too many people try to go from Hi to Buy in under 3 minutes on the phone when someone's day has been interrupted! Also helps to call before 8AM and after 4:45PM as those time the gatekeeper is usually not answering the phone. I find 5-6PM on a Friday night to be a good time as most business owners are still cleaning up from the week. Again, know your prospect. This may not apply to you if your prospects are employees looking to get home!
According to Builtvisible, there are nine factors to consider when determining the value your product or service provides your customers:
*Product function: What will your product or service do for your customer? What effect will it have on their life?
*Points of differentiation: What is your product’s unique selling point? What sets it apart from similar products on the market?
*Quality: Is your product durable? Is it made to last? Will the services you provide continue to benefit your customers over time?
*Service: What “extras” do you provide your customers once they’ve paid for your product or service?
*Marketing: Have you created a “buzz” around your product or service? Are the benefits of your product well-known?
*Branding: Is your brand a true representation of the level of quality you provide, and of the values your company stands for?
*Customers’ existing relationship with your company: What have your customers’ experiences been when interacting with your company in the past
*Personal bias from experience: Unrelated to your company specifically, what does your target customer think about the product you offer?
*Price: How much do you sell your product or service for? How does the price of your product compare to that competing companies’?
Here are more tips on how to bring value to your customers: http://www.fieldboom.com/blog/customer-value/.