Key takeaways:
- Bug bounty testing is a valid alternative to traditional penetration testing but comes with its own advantages and disadvantages.
- Bug bounty testing is not time limited, allowing testers to find more vulnerabilities within the code.
- This may not be suitable for users who want to quickly stress test an application prior to release.
In today’s digital age, cyber security is more important than ever. As technology continues to advance, so do tactics and strategies of cyber criminals. Organisations of all sizes and industries are at risk of being targeted by malicious actors seeking to steal data, compromise systems and cause disruptions. As a result, organisations are increasingly under pressure to test their implemented security controls to ensure they are fit for purpose.
While it’s clear that cyber security is an urgent priority for businesses, there are different ways of testing for vulnerabilities. In addition to the well-known penetration tests, some businesses are opting to rely on an alternative method called bug bounty testing.
In the fourth part of our Emerging Tech Series, we explore the key differences between bug bounty and penetration testing, and the factors that businesses should consider when choosing between the two.
What is penetration testing?
Penetration testing is a well-established service within the IT and cyber security space. Traditional penetration testing involves one or more skilled practitioners simulating the activities of a hostile actor to determine the extent to which vulnerabilities exist within an organisations infrastructure and/or applications and the extent to which those vulnerabilities may be exploited by a bad actor.
With penetration testers being some of the most in demand skills in all of IT, these services are extremely popular among businesses.
Penetration tests are focused engagements with the testers given a time window and a fixed scope to work on. While this approach is suitable for a wide range of scenarios there are some disadvantages to traditional penetration testing.
The timeboxed nature of a penetration test creates the possibility that some vulnerabilities will not be found if they are not discovered in the agreed window, although testers will focus on identifying whether the most critical vulnerabilities are present first.
A penetration test report also effectively becomes out of date as soon as a change is made to the code. If an application is regularly updated but only tested once a year, multiple vulnerabilities may go undetected for several months. In addition, organisations have to pay a flat fee for a penetration test which may not uncover any significant vulnerabilities.
What is bug bounty testing?
If a business is not under specific time pressure and instead wants to ensure that every vulnerability within an application has been identified, then opting for a bug bounty program may be a better solution.
Bug bounty programs work by offering rewards to independent security researchers or enthusiasts for identifying and reporting found vulnerabilities within an application without set time frames. Bug bounty testers are also known as “bug bounty hunters”, with the name reflecting the commission-based nature of their work.
In a bug bounty program, a copy of the code is uploaded to a secure environment where individuals can attempt to find any vulnerabilities that may be present. Once a vulnerability is identified by a tester, it is reported to the client, who will then arrange for the vulnerability to be tested to determine the extent to which it can be exploited by an attacker. Finally, the bug bounty hunter is awarded a fee based on the severity of identified bug.
Key differences between bug bounty and penetration testing
When it comes to bug bounties, rather than having to make an immediate financial investment up front like in penetration tests, companies instead pay individuals once a vulnerability has been found and confirmed. This helps to spread the cost of testing over a longer financial period.
Of course, if a high volume of vulnerabilities is discovered, this could prove extremely expensive. Due to this, it is strongly advised that bug bounty programs do not commence until an organisation is confident the application or environment has been properly tested internally.
Perhaps the greatest advantage of bug bounty programs is that they open up testing to an extremely broad range of practitioners.
Companies can tap into a global network of ethical hackers who have diverse backgrounds and expertise. This can lead to the discovery of vulnerabilities that may have been missed by a smaller penetration testing team.
Bug bounty testers also tend to approach testing with a “fresh pair of eyes” as they will typically not have any prior knowledge of an environment which may be available to a penetration testing company that frequently tests the same environment or application. This has the advantage of testers not making any assumptions but can also lead to inefficiencies as testers uncover bugs that experienced testers would know cannot be exploited.
Ultimately, the choice between a penetration test and bug bounty program comes down to the business’s needs, and the time pressures that they are working with.
Is bug bounty testing right for my organisation?
A bug bounty program should be strongly considered if you meet the following criteria:
- You are confident that the environment or application you wish to be tested is fundamentally “good” and that testers are not going to find large numbers of bugs and vulnerabilities that should have picked up in your development process
- You are not under time pressure to identify vulnerabilities in the environment or application you are considering having tested and instead want to find as many vulnerabilities as possible
- You want to spread the cost of testing over a longer period of time
- You want to test for vulnerabilities outside of the usual testing window.
In a nutshell, both methods serve a purpose, and it is critical that businesses choose wisely where to spend their resources.
Thanks to Principal Security Consultant David Cooper and Cyber Security Consultant Daria Volynskaya for their contributions to this post.
Concerned about cyber security in your business? Get in touch with our team of cyber security experts.
