< Back to Insights
Laptops taking part in a penetration test | Informer.

What’s the difference between a penetration test and a bug bounty?

To stay secure and comply with regulations, businesses must regularly test for vulnerabilities. What is their best method, bug bounties or penetration tests?

Bug bounties have gained significant ground in recent times – utilizing the power of crowdsourcing to change the traditional structure of security testing. Large organizations, such as Microsoft, Facebook and Google, have established programs – paying out millions in bounties in 2018. [1]

However, the more comprehensive penetration testing model remains one of necessity. If you’re to rest easy at night, safe in the knowledge your infrastructure is secure, pen testing gives you an extra layer of security.

What are penetration tests and bug bounties?

Penetration test

  • A penetration test – pen test for short – involves a cybersecurity agency challenging the security of a network by mimicking the methods used by a hacker
  • It is both automated – using specialized vulnerability scanning and tools – and manual – utilizing the majesty of the human mind to target dangerous vulnerabilities
  • It’s a collective professional effort – a team of cybersecurity specialists collaborate to identify threats
    The result is a detailed report guiding you to remediation

Bug bounty

  • A bounty is placed on a bug and vigilante hackers are invited to track it down for reward. Simple
  • The bug is a metaphor for a security flaw and the supposed vigilantes are ethical hackers
  • A bug bounty program utilizes crowdsourcing, inviting ethical hackers to report exploits and vulnerabilities in return for payment
  • It’s a solo effort by individual hackers – encouraging an atmosphere of competition over cooperation
  • Rewards are paid only when the hacker finds a relevant vulnerability in the system

What are the differences?

The motivations are the same for each – to root out potential security weaknesses.However, the means with which they achieve that are very different, and so are the results.

Think of the initial process as if you’re hosting a party. With a pentest, you’re going for the exclusive structured approach, with named ethical hackers, a clear schedule and greater control. There’s more communication between guest and host, and you’re aware of who’s doing what when.

With a bug bounty, you’re throwing the invitation out there to anyone who’s interested. People can come and go as they like. You’re losing structure and control but opening it out to more people.

Don’t worry, chaos of Project X proportions won’t result. Bouncers and restrictions are in place – you’re in control over what network resources are within/out of scope.

Penetration test

  1. Performed by an accredited cyber security agency or qualified pentester
  2. Provide a detailed security assessment of your network
  3. Has a precise schedule – a beginning and end
  4. A comprehensive report is produced with actions that should be taken to fix flaws
  5. Personal contact is made between the pentesters and client
  6. A team effort – pentesters working together to analyze a whole network or system
  7. Ability to test unpublished software/hardware

Bug bounty

  1. Performed by crowdsourced hunters, who register at bug bounty platforms
  2. Typically focus on single web applications
  3. No time structure – ethical hackers will go on a hunt whenever they want or have time for it
  4. Clients are notified about flaws via the bug bounty platform
  5. No contact between hunter and client
  6. One-man band – solitary ethical hackers focussing on a single web platform
  7. Only test software/hardware which is available online
  8. Focusses on the larger bounties, meaning smaller ones are overlooked. These could turn into big problems over time
  9. Organization pay and annual subscription – that can reach into six figures – to be on a bug bounty platform, even if no fault is found

Pentest positives

It gives you a professional and complete overview of your infrastructure. When you run a pentest, you have the assured inclusion of a contract with the cyber security agency.

The agency has legal obligations and responsibilities in case of incident – like any service provider in any industry, the agency’s reputation is at stake.

As a client, you’re well aware of:

  • When the test is happening
  • What specific IPs are involved
  • Which phase of the audit is currently running

The client has complete control over what’s included in the test and what the focus is.

Bug bounty positives

With bug bounty programs, clients pay for results only. It allows for continuous security testing by a vast number of people.

For those businesses that are confident in the knowledge that their website is secure – it can be a revealing and interesting challenge to expose their website on a bug bounty platform. Hence why the likes of Microsoft and Google have successfully pursued the model.

But which is for me?

If you’re an organization that holds any amount of sensitive data, penetration tests cannot be ignored, while bug bounty programs are useful only when certain criteria are met.

Pentests are for you when:

  1. Need a professional and comprehensive picture of the current state of your infrastructure and online environment
  2. Want to identify and prioritize risks – allowing your organizations to evaluate network security and establish the necessary controls
  3. Are proactively developing a long-term plan for preventing hackers from infiltrating your system
  4. Need to comply with industry regulation, such as PCI, HIPAA, FISMA and ISO 27001
  5. Are implementing or updating new software

Big bounties are for you when:

  • Want to compliment penetration testing – enlarging the scope of your security testing on a platform that you are confident is already well secured
  • Can afford to place a competitive fee on a vulnerability, that will attract high-quality hackers
  • Need to run testing on public websites that do not typically face major security threats – i.e. those websites that do not process confidential data

The points weigh more heavily on the side of a pentest. This is not to say bug bounties aren’t useful – it’s just they should be used as a supplement to, rather than a replacement of, a penetration test.

The thing to remember is that bug bounties have a public character and are highly competitive. To attract the right hackers, you need to be able to put an attractive price on a vulnerability.

If the price isn’t right, then hackers won’t be interested, meaning a company that can’t afford to pay as much as the big players will typically lose out.

Expertise is an issue as well. The majority of hunters in bug bounty programs are not experienced. Typically, they’re on the look-out for low hanging fruits and it’s unlikely that critical vulnerabilities will be revealed. [2]

Regular penetration test with a trusted team gives you a much more comprehensive picture of your organization’s security status and will keep your infrastructure safe in the long run.

So… in this case, inviting fewer people with greater expertise to the party might prove to be more of a success than the open invitation.

Get in touch with our experts today and see how your organization can benefit from a pro pen test.

[1] techradar.com

[2] cyberscoop.com

More from

penetration testing

Shodan: The Search Engine for Hackers

Shodan is not your average search engine and has become a tool used by hackers to find internet-connected devices and more.

Read Article >

Understanding Cross-Site Scripting: How to prevent an XSS attack

Learn why it's important to take a multi-layered approach to help prevent XSS attacks.

Read Article >

Understanding Cross-Site Scripting: Going beyond an alert box

In this post we are going to take a deeper dive into this vulnerability and investigate some of the more malicious payloads that could be used

Read Article >