Author Topic: Bug Bounty, A downfall of Pentesting? (Read 498 times)

M1lak0 · « **on:** May 19, 2014, 10:14:48 pm »

I have a question as I was thinking on it since 2 days.
Now a days we can see many bug bounty programs on well known sites to save their penetration testing session.
Do you think it is creating less scope for penetration testers these days?
Is the field going down because of these Bug Bounty Programs?
Is the field now in danger sort of?
I am new and still learning so what are your ideas and what do you think about this?

Daemon · « **Reply #1 on:** June 04, 2014, 01:24:17 am »

The short of it, nope. I don't think it hurts it, and may even help.
Why?
Because first off, pentesting isn't just finding bugs. A full-scope pentest is finding bugs and using them to gain access, so leveraging them in the proper way. Whereas the whole point of a bug bounty is to just audit source code for something that the devs may have missed. Now imagine your running a site that has a bug bounty program, and you are getting lots of people posting bugs for their bounty. What are you going to worry about? The overall security of your site/app/network/operations. Logical next step would be to conduct a pentest to make sure that you've properly fixed said bugs, as well as to ensure the security of your network. This shouldn't be hurting pentesters any, and like I said it may in fact even contribute to even more tests being done.

Just how I see it, but you should ask some of the guys who work in the industry for their experience as well.

Cheers,
Daemon

M1lak0 · « **Reply #2 on:** June 04, 2014, 07:23:54 am »

Quote from: Daemon on June 04, 2014, 01:24:17 am

The short of it, nope. I don't think it hurts it, and may even help.
Why?
Because first off, pentesting isn't just finding bugs. A full-scope pentest is finding bugs and using them to gain access, so leveraging them in the proper way. Whereas the whole point of a bug bounty is to just audit source code for something that the devs may have missed. Now imagine your running a site that has a bug bounty program, and you are getting lots of people posting bugs for their bounty. What are you going to worry about? The overall security of your site/app/network/operations. Logical next step would be to conduct a pentest to make sure that you've properly fixed said bugs, as well as to ensure the security of your network. This shouldn't be hurting pentesters any, and like I said it may in fact even contribute to even more tests being done.

Just how I see it, but you should ask some of the guys who work in the industry for their experience as well.

Cheers,
Daemon

Thankx man for your response. I really appriciate the time you took to reply here an put your understanding here! I asked few people working in the industry they said bug bounty hunters are lamers! Finding a bug don't make you good! He told me about some good reasons why bug bounty is not good but he didn't mension about down fall as there is no downfall for pentesters just because of bug bounty hunters hunting for money!

Architect · « **Reply #3 on:** June 04, 2014, 11:06:16 am »

Quote from: Daemon on June 04, 2014, 01:24:17 am

The short of it, nope. I don't think it hurts it, and may even help. (...) This shouldn't be hurting pentesters any, and like I said it may in fact even contribute to even more tests being done.

Well security researchers and full disclosure are what are hurting the "black hat" side of things, but I couldn't honestly say if I agree that it helps to disclose all bugs immediately after having found them.

EvilZone

News:

Author Topic: Bug Bounty, A downfall of Pentesting? (Read 498 times)

M1lak0

Bug Bounty, A downfall of Pentesting?

Daemon

Re: Bug Bounty, A downfall of Pentesting?

M1lak0

Re: Bug Bounty, A downfall of Pentesting?

Architect

Re: Bug Bounty, A downfall of Pentesting?