Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering how to protect themselves from falling victim to such attacks. The fact is that relying on internal security testing alone is no longer sufficient in this modern era. If an oversight is made by an IT team during implementation, that same oversight will be made during internal testing because it’s the same individuals involved.
This is why organizations are turning to penetration tests and bug bounties to improve their security. External expertise is what’s required to detect open vulnerabilities that get missed by internal processes and exploited by modern cybercriminals. With that, a question arises: bug bounties vs. penetration tests – which one is right for my organization?
In this post, we’ll cover the differences between the two initiatives, analyze the associated costs and effort involved to help you decide which one (or both!) is best suited for your organization.
What are bug bounties?
In brief: bug bounties are a crowdsourced open-ended security audit. Basically, an organization says to the world: come try and hack us – if you do we’ll give you money! Independent security researchers then try to discover and report vulnerabilities before malicious actors are able to exploit them. If the researchers are successful, they’re typically awarded a cash payout corresponding to the severity of what they discovered.
That’s the gist of it. Bug bounty programs can be operated in-house or through a platform like HackerOne or Bugcrowd. An organization publicises the rules of engagement (which hopefully the community follows) and manages things from there.
What is a penetration test?
While bug bounties are essentially crowdsourced cybersecurity, penetration tests are a structured engagement with a team of industry experts. An organization works with a cybersecurity firm that specializes in security audits to perform the test. The two work together to define the scope and objectives of the engagement while collaborating throughout the process over an agreed-upon timeframe. At the end of the engagement, the client typically receives a report of the discovered vulnerabilities, recommended remediations, and the door is left open for future exchanges and security consulting.
If bug bounties are performed by cowboys, penetration tests are performed by the sheriffs and deputies whose badges take the form of industry-recognized certifications and practices. It’s less Wild West and more Johnny Law.
Want to know how Vumetric has helped 1,000+ organizations improve their cybersecurity?
Comparing the two: bug bounties vs. penetration tests
The following criteria help illustrate the key differences between bug bounty programs and penetration tests:
|Category||Bug Bounty||Penetration Test|
Posted ruleset created by the organization
Typically limited to publicly-accessible resources*
Agreed upon at the start of the engagement
Can include sensitive authenticated services
Can include internal infrastructure
In-house staff must manage the program and respond to submissions while it is active
Requires software to track submissions
Some overhead can be mitigated by using a bug bounty platform
Project management meetings throughout the engagement
Information gathering (ie. service documentation and network ranges) plus access configuration to provide testers
Bounties must be set high enough to attract interest
Large number of discoveries can lead to higher than expected payouts
Staffing costs to internally manage the program
Predictable and agreed upon during negotiation
|Outputs||Individual vulnerability reports for each discovery||
Comprehensive report that includes vulnerabilities by severity, remediations, and additional recommendations
Meeting to discuss the findings
Attestation that can be provided to clients/insurance companies proving you have completed the process and addressed the vulnerabilities
Making the decision
Choosing to do a penetration test
The structured nature and predictable costs of penetration testing can be attractive to organizations, especially those without dedicated IT security staff. Calling in the experts for a defined engagement with a specific timeline and set of deliverables is easy for management to grasp and produces tangible outputs such as reports and attestations. It also ensures that everything defined in the scope gets audited and sensitive services are handled with discretion – something that isn’t guaranteed with a bug bounty program.
If an organization is able to say that they’ve completed a penetration test, fixed all the identified vulnerabilities, and has documentation to prove it – that can go a long way towards building client confidence and satisfying insurance providers and regulators.
Choosing to run a bug bounty program
For larger organizations with resources for a dedicated IT security team, bug bounties can make sense. Especially if the organization exists primarily in the tech space like Software as a Service (SaaS). By tapping into the collective knowledge of the global information security community, vulnerabilities can be safely identified and patched before they get exploited by a malicious actor.
If you’re deciding to do a bug bounty program, be sure your organization is ready to dedicate the necessary resources for it. The program needs staff to run it, bounties that are high enough to attract attention, and a marketing initiative to promote it within the security community. Be prepared to sift through some low-quality submissions from researchers who didn’t read the rules or are trying to make a quick buck. Basically – it’s going to take some work, but can be well worth it in the end.
The good news: you can do both
Typically, it makes sense to start with a penetration test, and make a habit of doing one annually or before a new product launch. This guarantees that everything gets checked out (even the boring stuff) and that industry standards for security are being met. For organizations already engaging in penetration testing, the addition of a bug bounty program can further improve their security posture between tests.
As IT infrastructure ages and grows more complex, the techniques cybercriminals use to extort their victims are becoming increasingly sophisticated. At a minimum, a proper defense against these threats includes penetration testing from an expert firm. For organizations that want to go above and beyond, bug bounties are an additional security initiative to help stay ahead of hackers. This is a battle that gets fought on multiple fronts.