A bug bounty service is a continuous security test that allows businesses to prevent cyber-attacks, theft of data and abuse. Security testing is carried out by ethical hackers who receive pre-specified rewards for found errors and vulnerabilities.
Bug bounty service has proven success in harnessing the global security community to locate critical vulnerabilities and fix them before attackers can exploit them.
Bug Bounty service is used in addition to traditional and check-list based penetration tests for their access to a diverse skill set, pay-for-results model, and potential for ongoing testing. While traditional pen testing is often used to achieve compliance, businesses pay cash rewards for finding and reporting weak points and bugs in the software.
The biggest difference with the penetration test is that the bug bounty service offers continuous security testing at a price that the client has approved.
| Category | Bug Bounty | Penetration Test |
|---|---|---|
| Scope |
Determined by the extent of the client’s interest Typically limited to publicly-accessible resources |
Conducted to meet the exacting needs of a specific client Can include sensitive authenticated services |
| Cost |
Somehow unpredictable Bounties only pay once a vulnerability is disclosed |
Predictable and agreed upon during negotiation It varies based on scope of work |
| Time |
Specified by the client Usually a long-term continuous test |
Predictable and agreed upon during negotiation It varies based on scope of work |
| Outputs | Individual vulnerability reports for each discovery | Comprehensive report that includes vulnerabilities by severity, remediation, and additional recommendations |
Copyright @2021 HTD.RED
