Bug Bounty hunters bring a “real-world attacker mindset” absent from traditional penetration testing, according to security executives from global energy services provider NOV.
Emboldened by their Bug Bounty Program’s performance a year since launch, James Cooper and Justin Moore – directors of product security and IT security respectively – already have ideas for extracting further value from crowdsourced security testing. This includes making the US multinational’s digital assets more secure by design via a “tighter feedback loop” between external hunters and internal teams.
In the wide-ranging Q&A below, the pair also reflect on the value of effective triage, an agile business model and a testing layer that runs 24/7.
The following answers were provided jointly by James and Justin.
Please give us a brief lowdown on NOV for anyone unfamiliar with the company…
James and Justin: NOV delivers the equipment, software and expertise that drive global energy operations. For more than 150 years, we’ve helped customers safely produce energy at scale – while constantly improving efficiency and reducing impact. NOV powers the industry that powers the world.
How would you characterise your security culture? How well does Bug Bounty integrate with it?
Security is a core part of our culture. We support critical infrastructure, so we treat cybersecurity as both a business imperative and an industry responsibility.
Bug bounty fits naturally: it gives us constant pressure-testing from skilled external researchers and keeps us sharp between scheduled assessments.
YOU MIGHT ALSO LIKE‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing
The security stakes must be particularly high given your large scale and the criticality of the sector you operate in…
We face a broad and evolving attack surface. Our scale, global reach and role in critical industries make us a target for everything from opportunistic scanning to nation state-level threats.
We need depth, agility and external perspective. Bug bounty contributes to that.
What other context can you provide for your decision to launch a Bug Bounty Program?
We launched a Bug Bounty Program to improve the depth, diversity and responsiveness of our security testing efforts. While we regularly worked with traditional penetration testing firms, we faced ongoing issues with limited testing scopes, inconsistent quality of findings and a lack of real-world attacker mindset.
By adopting a crowdsourced model, we gained access to a global community of skilled researchers with a wide range of expertise.
This approach better reflects the unpredictability and creativity of actual threat actors. It has helped us identify vulnerabilities that were previously overlooked and has become a valuable component of our overall security strategy.
How has the program evolved since its launch about a year ago?
It has steadily grown in both scope and engagement.
Initially, we started with a limited set of assets to evaluate program effectiveness and researcher quality. Over time, we expanded the scope to include more applications, APIs and infrastructure components based on the program’s success and the actionable findings we received.
We’ve also refined our bounty grid to better align with vulnerability severity, business impact and exploitability.
What’s the biggest challenge you’ve faced so far and how have you overcome it?
One of the most significant challenges we’ve faced has been establishing a fair and transparent approach to bounty payments. Striking the right balance between encouraging participation and maintaining high standards can be difficult.
To address this, we’ve set a clear standard that only the highest fidelity reports – those demonstrating well-documented, reproducible and impactful findings – are eligible for reward. This approach ensures quality over quantity, promotes thoroughness and ultimately strengthens the integrity of our program.
What has most surprised you about the experience so far and why?
The quality of findings from the testers has been consistently high, offering valuable insights, while the triage efforts have proven instrumental in streamlining issue resolution and prioritisation.
What are your plans for further optimising or expanding the program in the coming months and years?
We’re focused on maturing the program, not just expanding it. That means tightening integration with internal teams, especially engineering and risk management, so findings translate more directly into action.
We’re also aligning the program with compliance frameworks and audit processes to improve traceability and reduce gaps.
Longer term, we want a tighter feedback loop between external researchers and internal stakeholders so the insights we get don’t just fix bugs – they improve how we build and secure systems from the start.
Why did you choose YesWeHack over other platforms?
YesWeHack offered the right balance between researcher quality, platform usability and cost control. We evaluated several vendors and found that some came with premium pricing but didn’t offer clear advantages in terms of outcomes.
YesWeHack gave us access to a skilled, motivated community of researchers without the overhead. The platform itself is efficient to use – easy for our team to manage submissions, coordinate triage and communicate with hunters. That helped us move quickly, stay focused on results and demonstrate value early without draining resources.
What are the most significant benefits of Bug Bounty?
Continuous testing is the top benefit. Unlike scheduled pentests, Bug Bounty provides real-time coverage – vulnerabilities are found and reported as they emerge.
It also brings diverse perspectives. External researchers think differently than internal teams, often uncovering issues others miss.
Finally, it drives urgency. Knowing skilled hunters are testing your systems keeps teams sharp and reinforces a proactive security culture.
In what ways is Bug Bounty distinct from pentesting or other forms of security testing?
Bug bounty is continuous, dynamic and community-driven. Traditional pentests are time-boxed and scoped tightly – they give you a snapshot. Bug Bounty Programs, on the other hand, run 24/7 and evolve alongside your environment.
They also tap into a broader talent pool. Instead of relying on a single team with a fixed approach, you get input from diverse researchers with different tools, techniques and areas of expertise. That leads to more creative findings and better overall coverage.
Based on your experience so far, what are the key factors for a successful Bug Bounty Program?
Start with quality over quantity. Skilled researchers are critical – they produce actionable findings, not noise.
But strong triage is just as important. Good reports only add value if they’re reviewed quickly, validated accurately and routed to the right teams.
We also found that starting small with a focused scope made a big difference. It gave us space to refine workflows, align internal teams and build trust in the process before scaling up.
Any advice for your peers who might be considering whether or when to launch a BBP?
Start small and start early. You don’t need to open your entire attack surface on day one.
Begin with a tightly scoped private program, test your internal processes, and learn how to triage and respond efficiently. Once you’re comfortable, you can expand scope and open it up to a broader researcher base.
Anything about the findings surfaced so far that your peers might be interested to know about?
Some of the most serious bugs were found in apps that had already been through internal testing and multiple safeguards. They weren’t overlooked out of neglect – we had controls in place.
That’s exactly why layered defence matters. Bug bounty adds an outside-in perspective that other layers can’t replicate.
Anything else to add before we finish?
Bug bounty isn’t just about finding flaws – it’s about building better systems through external pressure, faster feedback and broader insight. It’s not a silver bullet, but when used well, it strengthens every part of the security program.
We’re glad to be part of the community and always looking to learn from others doing the same.
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries