Why did you launch a bug bounty program?
We launched a bug bounty program owing to our short delivery cycles. In the past, we conducted ‘traditional’ penetration testing once a year. However, we have a lot of changes every month to our scopes and could not wait 12 months for the next audit. Bug bounty enables us to carry out continuous checks, for each release, update, and new delivery.
What value does bug bounty bring compared with traditional cybersecurity solutions, such as penetration testing?
It’s the return on investment. The opportunity to pay based on results is very important for a small organisation like ours with limited budgets. With traditional penetration testing, we have to pay even if nothing is found. Our last penetration test cost around €8,000 and no major vulnerabilities were reported.
After two months running this latest program, dozens of security flaws were reported, including some critical vulnerabilities never reported using previous audits. This was achieved with a reward budget approximately half that of a single audit.
I would also mention diversity: penetration testing is too ‘academic’ and doesn’t meet our real needs. Most penetration testers run tools and tick boxes. As a result, too many vulnerabilities are left undiscovered. The diversity of hunters and their range of skillsets make a big difference.
Lastly, the model is very flexible. Take scope evolution, for example. With a traditional penetration test, a scope is defined in advance: if you want to change anything, you have to pay again for another audit. Now, with bug bounty, we can fine-tune the program over time, adding products or URLs to the scope. This is key to us.
Do bug bounty programs spell the end for penetration testing? Or will they remain complementary?
As a trusted digital service provider, we have to run penetration tests to meet regulatory requirements. So, we have no choice but to continue with traditional audits. However, if we were in an industry not subject to such regulations, there’s no question we would only use a bug bounty platform.
This year, we will cite bug bounty in our certification process, making the case that bug bounty is equivalent to intrusion testing – and actually more effective.
What’s next?
We will expand the program to our APIs and mobile apps.
Is there anything else you’d like to mention?
Bug bounty is also a key selling point for our sales team, especially with large accounts that require stringent security guarantees. Bug bounty is now automatically included in our sales presentations to large accounts.
If you wish to learn more regarding our platform and service, please do not hesitate to contact us.