Bugcrowd Unlocks AI Workflows with Temporal

Bugcrowd is a crowdsourced cybersecurity platform that connects organizations with hackers so that they can execute penetration tests and bug bounties. Their customers stay ahead of attackers thanks to the extensive bench of ethical hackers from Bugcrowd. Traditionally, the matching process to define a hacker engagement required a manual search through their contact database to find the correct list of hackers for each customer engagement.

Bugcrowd wanted to shift this human process to machine learning so they could increase capacity and effectiveness. Bugcrowd also needed to escape the capacity and development velocity constraints of their existing Ruby monolith so that they could build their next-generation platform.

A three-person team was assigned to the problem and they designed a future architecture based on microservices and queues that would allow them to migrate off their legacy Ruby monolith. Microservices would also help them scale software engineers because the existing monolith also required a fair amount of domain knowledge of the overall system to code and operate it effectively. Shipment of new features had become cumbersome and risky and new hire engineers needed deep Ruby experience to be successful at Bugcrowd.

Services, queues, databases, and cron were limiting their developer productivity.

Orchestration with Temporal

The Bugcrowd team found Temporal and shifted to use it as the baseline for this project as it was better aligned with the domain and offered dependability without the heavy lift of a custom solution. They needed something easy to adopt and quick to deliver.

Temporal is relatively easy to learn and has significantly reshaped our workflow orchestration strategy.

Bugcrowd quickly transitioned the hacker selection process to Temporal and created three workflows to accommodate their business process. The first workflow is called the "Orchestrator" and it implements two activities. The first activity queries a database to gather requirements for each engagement and it then passes this information off to a second activity that uses ML to match the requirements against their extensive hacker data to obtain a potential list for the engagement.

The second step in this process involves two workflows. The first is the "Hacker" workflow that will initially kick off a child workflow that manages the "invitation" process. They use a series of signals between these workflows to communicate status of each invite and this invitation workflow uses timers and signals to handle human interaction necessary to coordinate acceptance of an invitation. Once the invitation process has concluded, the Hacker process will update the hacker database and the engagement can begin.

This hierarchical approach allows Bugcrowd to modularize the different steps of their process and enables lifecycle management of complex engagements. Between these three workflows they have eliminated a fair amount of human, manual process that was once required and the entire process is much more efficient and reliable.

Today, launching new hacker engagements and creating new crowds is 2x faster, and capacity has increased by 400%. The invitation process no longer requires an on-call engineer to spend four to five hours per day per deployment to complete, saving an average of 15 engineering hours per week. In addition, they have experienced a 50% reduction in downtime for the system overall.

The reduction of downtime enables us to take on new projects.

Video

The Bugcrowd team joined us on a webinar to talk through their use case: