Bug bounties have gained significant ground in recent times – utilizing the power of crowdsourcing to change the traditional structure of security testing. Large organizations, such as Microsoft, Facebook and Google, have established programs – paying out millions in bounties in 2018. 
However, the more comprehensive penetration testing model remains one of necessity. If you’re to rest easy at night, safe in the knowledge your infrastructure is secure, pen testing gives you an extra layer of security.
The motivations are the same for each – to root out potential security weaknesses.However, the means with which they achieve that are very different, and so are the results.
Think of the initial process as if you’re hosting a party. With a pentest, you’re going for the exclusive structured approach, with named ethical hackers, a clear schedule and greater control. There’s more communication between guest and host, and you’re aware of who’s doing what when.
With a bug bounty, you’re throwing the invitation out there to anyone who’s interested. People can come and go as they like. You’re losing structure and control but opening it out to more people.
Don’t worry, chaos of Project X proportions won’t result. Bouncers and restrictions are in place – you’re in control over what network resources are within/out of scope.
It gives you a professional and complete overview of your infrastructure. When you run a pentest, you have the assured inclusion of a contract with the cyber security agency.
The agency has legal obligations and responsibilities in case of incident – like any service provider in any industry, the agency’s reputation is at stake.
As a client, you’re well aware of:
The client has complete control over what’s included in the test and what the focus is.
With bug bounty programs, clients pay for results only. It allows for continuous security testing by a vast number of people.
For those businesses that are confident in the knowledge that their website is secure – it can be a revealing and interesting challenge to expose their website on a bug bounty platform. Hence why the likes of Microsoft and Google have successfully pursued the model.
If you’re an organization that holds any amount of sensitive data, penetration tests cannot be ignored, while bug bounty programs are useful only when certain criteria are met.
The points weigh more heavily on the side of a pentest. This is not to say bug bounties aren’t useful – it’s just they should be used as a supplement to, rather than a replacement of, a penetration test.
The thing to remember is that bug bounties have a public character and are highly competitive. To attract the right hackers, you need to be able to put an attractive price on a vulnerability.
If the price isn’t right, then hackers won’t be interested, meaning a company that can’t afford to pay as much as the big players will typically lose out.
Expertise is an issue as well. The majority of hunters in bug bounty programs are not experienced. Typically, they’re on the look-out for low hanging fruits and it’s unlikely that critical vulnerabilities will be revealed. 
Regular penetration test with a trusted team gives you a much more comprehensive picture of your organization’s security status and will keep your infrastructure safe in the long run.
So… in this case, inviting fewer people with greater expertise to the party might prove to be more of a success than the open invitation.
Get in touch with our experts today and see how your organization can benefit from a pro pen test.
Learn why it's important to take a multi-layered approach to help prevent XSS attacks.Read Article >
In this post we are going to take a deeper dive into this vulnerability and investigate some of the more malicious payloads that could be usedRead Article >