Governance, Risk and Compliance, Content, Channel investors

M&A Due Diligence and Cybersecurity: Bugcrowd Bundle Assists the Process

Bugcrowd, which operates a crowd-sourced bug bounty and vulnerability disclosure platform, has released a pre-bundled set of security tests to help companies assess cybersecurity vulnerabilities that could influence mergers and acquisitions (M&A).

The San Francisco-headquartered company said the point of the package, which it is calling M&A Assessment, is to expedite an evidence-based evaluation of a merger target’s cybersecurity posture. Under one umbrella it combines remotely-deployed penetration testing with advanced asset discovery, alerting, attribution, prioritization, and management capabilities in its platform. According to Bugcrowd, organizations can initiate these tests in 72 hours or less and access results in real-time.

Ashish Gupta, CEO, Bugcrowd
Ashish Gupta, CEO, Bugcrowd

"Mergers and acquisitions are inherently complex and lengthy processes. Historically, the M&A diligence process had focused on financial, legal, commercial and technology risk, with limited attention placed on cybersecurity risk,” said Ashish Gupta, Bugcrowd chief executive. “With the sprawling digitization of information and assets, and the resulting increase in cyber threats, companies are rapidly expanding their security assessments during the diligence period.”

Bugcrowd said the M&A Assessment set leverages a global network of vetted and selected security researchers to evaluate the security posture of target assets exactly as attackers would. This allows organizations to identify potential blind spots, mitigating the risk of an exposed asset or potential breach. “Bugcrowd has responded to its customers by using our unique capabilities to identify and assess vulnerabilities that could influence an M&A process and negotiation," Gupta said.

Here’s what’s in the M&A Assessment collection:

  • Penetration testing: Pay-per-results or pay-per-project testing enabling organizations to identify and harden their attack surface.
  • NDA-backed besters: Global network of NDA-backed pen testers provide immediate access to trusted, experienced talent versed in every engagement.
  • Asset discovery: Compiles an organization’s asset inventory to surface previously unknown or unprioritized and potentially vulnerable internet-facing assets.
  • Launch: Customers can access test results in real-time enabling daily status updates.
  • Audit-ready reports: Executive-level reports are available in three weeks, comprising the analysis, risk scoring and recommendation of penetration testing and attack surface management.

Here’s how it works:

  • Rapid resourcing: Targets identified; resources matched by skill and experience.
  • Triage & prioritization: Incoming vulnerabilities or discovered assets are validated/attributed and risk-ranked.
  • Aggregation: Results from pen test and asset inventory are aggregated and assessed.
  • Executive reporting: Detailed results plus executive analysis for “go/no-go” decisions.
  • Post-report analysis: Security reports and analysis are delivered within three weeks.

Bugcrowd recently landed $30 million in Series D funding, bringing to $80 million its total venture backing since the company’s founding in 2011. Previous investor Rally Ventures led the round. Gupta said the capital infusion will help the company expand its geographic reach to Europe and Asia.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.