Day 43 of 60
·
Process, code review & AI-assisted
Penetration testing & bug bounties
Adversaries spend months attacking; your team spent two days defending. Bug bounties scale the asymmetry back; pen tests reset the baseline once a year.
ProblemAdversaries spend months attacking your system. Your team spent two days defending it.
How it works
External experts try to break in. Bug bounties scale this continuously. Cost is high; deterrence value is real.
What it catches
Authentication bypass, IDOR, business-logic flaws, novel exploitation chains. Bug bounties also surface enumeration and recon flaws.
Tools
HackerOne · SaaS Bugcrowd · SaaS YesWeHack · SaaS
Verdict by project size
Small
Skip
Medium
Opt
Large
Rec
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 0h | 0h | $0 | , |
| Medium 10–100k LOC | 0h | 5h | $0 | , |
| Large 100k–1M LOC | 0h | 40h | $5k | , |
| Extra-large >1M LOC | 0h | 200h | $50k | , |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Release Operate
Periodic · Quarterly or on-demand campaigns.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer, Security / AppSec
Reference implementations
-
OWASP Juice Shop
Canonical vulnerable web app for penetration testing and security training.
-
OWASP WebGoat
Deliberately insecure Java application for practicing and validating web security testing.
-
OWASP NodeGoat
Node.js vulnerable app showing OWASP Top 10 issues and mitigations.
Quick check
A bug bounty program complements pen testing because it…
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.