> Bug bounty programs are not supposed to replace you other security activities, but it's a way for you to have additional source of vulnerabilities.
Exactly the way we position our own Bug Bounty Program. Where the pentesters can be hired to also confirm things done well, the hunters are only paid for failures they found.
In our case there is an added bonus with the Bug Bounty Program: we've come to REALLY apriciate the technical level of reports. Since they only get paid for triagable findings, the details we get reported are so much better then what we used to get from our pentesters. Of course we now require the same quality of reporting from them.
What also helps is that the pentesters are motivated more to deliver higher quality findings since they are aware the service will enter the Bug Bounty Program after their findings are resolved.
Again, BBP should NOT replace your other security activities, they are an additional source with possible unforeseen benefits.
Exactly the way we position our own Bug Bounty Program. Where the pentesters can be hired to also confirm things done well, the hunters are only paid for failures they found.
In our case there is an added bonus with the Bug Bounty Program: we've come to REALLY apriciate the technical level of reports. Since they only get paid for triagable findings, the details we get reported are so much better then what we used to get from our pentesters. Of course we now require the same quality of reporting from them.
What also helps is that the pentesters are motivated more to deliver higher quality findings since they are aware the service will enter the Bug Bounty Program after their findings are resolved.
Again, BBP should NOT replace your other security activities, they are an additional source with possible unforeseen benefits.