You might have considered running a bug bounty program instead of a penetration test. A bug bounty program is a work opportunity given by bug bounty platforms, in collaboration with various companies that want to increase their web and mobile application security, to infosec researchers operating online in exchange for a bounty (monetary reward). This is similar in objective to a penetration test and you might therefore be right in choosing a bug bounty program over a pen test, except that both methods present pros and cons.
- With a penetration test, web or mobile application assessment, there will generally be one or two highly trained consultants carrying out the job for a fixed price and a fixed number of days. You know how much you spend but the quality of the assessment depends only and exclusively on the quality of the consultant.
- With bug bounties you have a managed solution (e.g. Bugcrowd) which will provide a non-stop assessment of your assets, conducted by several talented hackers. You might want to assign a reward for each bug based on its criticality to attract the most talented bug hunters. The major issue with this, is that if your web applications are poorly maintained and developed, you might receive dozens of bug reports and have to pay for them, while their overall use for you might remain limited.
Which service should you choose? A penetration test or a bug bounty?
CodeGrazer suggest that doing both might be the right solution and offers a Pre Bug Bounty assessment for clients who have decided to run a bug bounty program but are not sure what the state of their external assets is.
How can you have the best security service while not spending a fortune?
Code Grazer will perform the Pre Bug Bounty assessment to find vulnerabilities across your websites and indicate the web services that are most likely to be vulnerable and the ones that can cost you more money in the eventuality you started a bug bounty program.
Typically this is not a full blown penetration test. It is a shorter security assessment to find low-hanging fruit vulnerabilities together with critical vulnerabilities which sit deeper within your systems, to indicate your web application weak points. This way you will be able address major security issues before starting a bug bounty program.
By purchasing CodeGrazer's Pre Bug Bounty service you will be able to:
- Find low-hanging fruit and critical vulnerabilities before using the big guns provided by bug bounty programs.
- Pay only for bugs that really matter.
- Discover your weak points without speding a fortune.
- Learn from a top level bug hunter and teach your developers to think like a bug hunter.