What is the difference between penetration testing and bug bounty programmes?

To stay secure many businesses regularly test their systems to identify vulnerabilities. Penetration testing is one of the most common types of cyber security assessment but in recent years a growing number of businesses have also turned to ‘bug bounty’ programmes to supplement their testing programmes.

Penetration testing (often referred to as pen testing) is a well-known and established form of assessment, typically carried out by a company that specialises in ethical hacking. (Covered here in great detail by Redscan’s extensive glossary). Bug bounty programmes, however, are a more recent offering, viewed by many as a complement to penetration testing, helping to widen the scope of security testing on platforms that are already well-secured against attacks.

Many large organisations run their own on bug bounty programmes, including Google, Facebook and Microsoft (which paid out millions in bounties in 2018). Even the EU has begun funding programmes.

In fact, according to Gartner, by 2022, automated and CSSTP (crowdsourced security testing platform) products and services will be employed by more than 50 per cent of enterprises, rising from fewer than 5 per cent today. In this article we take a look at the key differences between security testing offered by pen testing providers and bug bounty programmes.

  1. The expertise

Pen tests are carried out by experienced ethical hackers employed by specialist cyber security companies. Professional ethical hackers are required to have undertaken qualifications in cyber security, ensuring that they have an in-depth knowledge of the legal, technical, and ethical aspects of testing. Before any work is undertaken by a penetration tester, it is common practice to know the person’s identity and sign a contract to agree the scope of the work.

Bug bounty programmes also attract professional ethical hackers, however, as anyone can sign up to a programme, testing will typically be carried out by a mixture of professionals and amateurs, with hugely varied experience, knowledge, and ethics. Bug bounties tend to attract students and those looking to practice their ethical hacking skills. For this reason there can be lots of fake, duplicate and/or false vulnerabilities reported.

  1. The scope

Pen tests are conducted to meet the exacting needs of a specific client. Indeed, there are many types of assessment, ranging from internal and external network testing, to web application testing, wireless testing, and more. Testing can also be arranged to suit the operational requirements of a business, for example, by being conducted outside of regular working hours.

Bug bounty programmes are focussed only on testing websites and web applications that are publicly accessible. For this reason, bounty programs aren’t able to detect vulnerabilities inside a network or before websites and applications go live. The scope of the testing is also typically far less well defined, and sometimes organisations will not receive the type of feedback they are seeking.

  1. The duration

Penetration testing for web applications is usually carried out over a relatively short time – perhaps two to three days.

Big bounty programmes, on the other hand, are not conducted in line with specific deadlines and for this reason are best used for continuous testing. This makes them ideal for large technology businesses that are constantly releasing new products and updates. But it also means they are less useful for companies that have less frequent release cycles.

  1. The cost

The cost of a penetration test is typically based on the number of days required for hackers to achieve the agreed objective of the test.

Most bug bounty platforms, on the otherhand, allow organisations to set the price they are prepared to pay. While this may seem appealing, setting bounties too low might well deter testers. On the flipside, if a huge number of vulnerabilities are discovered, costs can quickly mount up.

Some bug bounty programs offer rewards for £100,000s but such single pay outs remain the exception.

  1. The feedback

Any good penetration test will not only identify exposures, but will also provide the feedback and support needed to address them. Bug bounty programmes are focussed solely on discovering vulnerabilities and for this reason the level of feedback will generally be low.

If an organisation manages its own bug bounty program, it may struggle to deal with an influx of reports from testers.