Skip to Content
PlatformCrowdsource

Crowdsource

Crowdsource is Detectify’s curated network of over 400 vetted ethical hackers who build the vulnerability detection modules that power all Detectify products.

How It Works

When a researcher discovers a new technique or a new CVE is published, they can build a detection module and submit it to Detectify. Modules typically arrive within days of public disclosure.

The Researcher Network

Vetting Process

Researchers go through a vetting process that evaluates:

  • Demonstrated security research expertise
  • Track record of responsible disclosure
  • Quality of previous vulnerability findings
  • Adherence to ethical hacking standards

Who They Are

Crowdsource researchers include:

  • Independent security researchers and bug bounty hunters
  • Penetration testers at consulting firms
  • Security engineers at technology companies
  • Academic researchers in computer security

These researchers bring diverse specializations: some focus on web application vulnerabilities, others on cloud misconfigurations, API security, or specific technology stacks.

Module Types

Crowdsource modules fall into several categories.

CVE Modules

Modules that detect specific known vulnerabilities identified by CVE numbers. These are built when a researcher analyzes a CVE disclosure, understands the exploit mechanism, and creates a payload-based test that can confirm whether a target is affected.

Technique Modules

Modules that detect classes of vulnerabilities rather than specific CVEs. For example, a technique module might test for Server-Side Request Forgery (SSRF) using multiple payload variations and detection methods (DNS callbacks, timing analysis, response content analysis).

Misconfiguration Modules

Modules that detect security misconfigurations in web servers, cloud services, CDN configurations, DNS settings, and other infrastructure components. These often do not correspond to specific CVEs but represent real security risks.

Technology-Specific Modules

Modules tailored to specific frameworks, CMS platforms, or cloud services. These test for vulnerabilities and misconfigurations unique to technologies like WordPress, Nginx, AWS S3, Azure Blob Storage, and many others.

The QA Pipeline

Every module — whether written by a researcher or generated by Alfred AI — passes through a multi-stage quality assurance pipeline before deployment.

Stage 1: Automated Testing

The module is executed against controlled lab environments that contain the target vulnerability. The module must:

  • Successfully detect the vulnerability in the lab environment
  • Produce no false positives against a set of clean (non-vulnerable) targets
  • Complete within acceptable time and resource limits
  • Follow Detectify’s scanning safety policies (no destructive payloads)

Stage 2: Human Review

Detectify’s internal security team reviews the module for:

  • Correctness of the detection logic
  • Appropriate payload construction
  • Accurate severity and classification
  • Clear remediation guidance
  • Compliance with safe scanning policies

Stage 3: Staged Rollout

New modules are deployed gradually, starting with a subset of scans. Performance metrics (detection rate, false positive rate, scan time impact) are monitored before full rollout.

Stage 4: Ongoing Monitoring

Deployed modules are continuously monitored. Modules that degrade in accuracy or produce unexpected results are flagged for review and updated or retired as needed.

Crowdsource vs. Bug Bounty Programs

Crowdsource and bug bounty programs serve different purposes:

  • Bug bounties reward researchers for finding vulnerabilities in a specific organization’s assets
  • Crowdsource rewards researchers for building reusable detection modules that find vulnerabilities across all Detectify customers

Next Steps

Last updated on
Platform OverviewAlfred AI