What is Bug Bounty?

What is bug bounty? From large enterprises to government agencies, Bug Bounty programs are used in addition to traditional, check-list based penetration tests for their access to a diverse skill set, pay-for-results model, and potential for ongoing testing. While traditional pen testing is often used to achieve compliance, these programs and bug bounty competitions pay cash rewards to ethical hackers, otherwise known as security researchers, for finding and reporting weak points and bugs in the software. Researchers provide security teams with reports on how attackers could penetrate through their security systems.

Is Bug Bounty the Same as Crowdsourcing?

In theory, the advantage of bug bounty security testing is that it creates attractive incentives for ethical hackers to find more vulns than the traditional pentest would. However, the Bug Bounty term can be confusing as it is often used broadly to indicate any researcher-based vuln discovery, some of which doesn’t even employ a true “crowd”. To further complicate things, many bug bounty-based companies are oriented more toward performing checklists for their broad customer base, and reserving the true crowdsourcing methodology for their large enterprise customers. A good buying decision requires discernment from the buyer. See below for more detail on the various flavors of Bug Bounty and their pros and cons: