Security Explained: Penetration Testing vs Bug Bounties
17 December 2020
In the world of application and network cybersecurity, you may have asked the question: what is penetration testing? Or what are bug bounties? Trying to find the right security and what precautions to take can be a difficult task. It is something that requires research and some knowhow. We know that coming into the technical side of cybersecurity can be quite daunting. We’ve decided to breakdown these two important steps of development to help out with the research.
Bug Bounties and the Bounty Hunters
Bug bounties are an option that any company or developer can offer before or after the release of their product. Effectively, you put out a monetary reward for any hacker who can find a vulnerability and provide a proof of concept to your team. This is anything from bugs and issues with the functionality to direct security vulnerabilities that compromise the safety of the product.
Hunting bug bounties is a lot like bounty hunters in pop culture. They are hunting down things that need to be found and stopped. This requires the skill set of a hacker used ethically to validate your product by seeking out the vulnerabilities.
In this way, companies like Cyrex wouldn’t often do bug bounties full-time. While our teams do sometimes hunt them down, it’s often on the weekends and during hackathons. Instead, bug bounties would likely be the target of singular or collectives of ethical hackers. Any number can pursue these bounties which can help to almost guarantee a discovery with anywhere between hundreds and thousands of ethical hackers making the attempt.
It’s a time-consuming process, one that involves a lot of research and investigation into the more eclectic and farfetched bugs. These typically take a lot of time to discover and replicate. When working on an application, developers will typically use a certain library. These bounty hunters can search through the chosen library and its assets. They can use their time to seek out these exotic flaws that might not be found by any standard user. But they may be found by a malicious actor! And that’s where the bounty hunters help out, shutting down the vulnerability and notifying the developers before it can be abused.
Typically, you’d expect to employ bug bounties after a full penetration test. Due to the nature of bug bounties, offering a €1000 bounty per bug found it could cost you a lot of money if you haven’t followed the sequence of testing.
Penetration Testing and the Sequence of Security
The sequence of security or testing is a phrase that we use a lot at Cyrex. While Cyrex doesn’t offer bug bounties in any official capacity, we would never suggest you avoid the service. Using penetration testing does not exclude the use of bug bounties and vice versa.
To use an example, if we found about thirty bugs in a standard penetration test, our price is fixed. However, if you were to offer that €1000 bounty per bug, suddenly you’re looking at a €30000 investment.
The importance of penetration testing before engaging in any bug bounty program cannot be overstated.
In comparison to the more freelance and freeform bug bounties, a penetration test is a more structured and company-based service. It is the first step in securing your programs. In comparison to bug bounty hunting which has no time limit, penetration testing is done within a set time and budget. It is the job of the penetration testing team to find as many bugs as possible in the timeframe.
For these tasks and many others, Cyrex employs ‘pair-hacking’ methods. By having our hackers work in pairs, we can deliver high-quality results in at least half the time. In this way, we can emulate a typical hacker environment, mentality, and behaviour as a normal malicious actor would work in collaboration with others.
This method also allows us to maximize our output for a given timeframe, meaning the time you take for penetration testing will yield a higher result.