First, as someone who provides learning material, I think a bug bounty can be your first official pentest:
- You don't need to pass a job interview.
- You don't need to sell the gig to a company.
- You just need to participate and be respectful of the platform.
Furthermore, if you end up being listed in the some bug bounty hall of fame, landing a security job will be far easier...
For a company running a bug bounty program, I think you need to be careful and probably avoid to give access to your production (to avoid data leak) and get a pre-prod environment (AWS EC2?) with anonymised data dedicated to the bug bounty (unless your name is Facebook or Google). But other from that, I see that as a less-expensive/modern alternative to hiring a pentest company. And you may end up with a lot of testing from a lot of skilled people pretty fast and for a reasonable price.
If you're on twitter, you probably heard of bugcrowd, a new company who offers to manage bounty program for other companies. I think it's a great idea and I bet a lot of people are already looking into this. I hope they will create a "Private Bounty" program where only identified people (identity check) can participate, it will probably solve the problem of a lot of people afraid to run a bounty program because everyone will be allowed to attack all their systems (which is not true since most program have scope)...
1 comment:
They pay poorly.
Post a Comment