What is Bug Bounty?

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the vendors to discover and resolve bugs before the general public is aware of them, preventing cyber-attacks. Bug bounty programs have existed for various computer programs and websites, but they are becoming more common in the information security industry.

Advantages of Bug Bounty

Access to vulnerability reports from testers who often understand the software or website better then developers and white hat hackers. Reach new testing talent that have not been recruited through traditional penetration testing vendors. Receive permission based access to operate on sensitive or classified customer networks. Gain permission to test across the various subdomains used in your organization, such as: *.adsecurity.org

*.branding.corp.adsecurity.org

*.reporting.corp.adsecurity.org Acquire TTPs and techniques related to post exploitation on enterprise networks that go past simple vulnerability exploitation.

Disadvantages of Bug Bounty

Reduced time-to-patch on vulnerabilities that are reported through traditional penetration testing since the bug bounty program does not include details about how to reproduce the vulnerability. Reduced scope for engagements sometimes due to customer restrictions or need for elevated access that is not a part of standard pentesting agreements (This is becoming less of an issue as customers understand the value of a bug bounty program) In some cases, the customer has already used their yearly vulnerability scan credit and does not have additional funds for pentesting.