Let’s Talk Security - Why a Bug Bounty May Be More Valuable Than a Penetration Test

Third-party penetration testing is a worthwhile security initiative. These professionals can probe an application for weaknesses and rely on their experience gleaned from many engagements to discover vulnerabilities which are particular to the application’s language, architecture, etc. White box engagements, meaning the testers have access to source code, give testers deep insight into the application which can lead to the discovery of hidden vulnerabilities. CDD’s penetration testers, Cure53, do a great job and we appreciate their contributions to CDD’s security.

Limitations of Traditional Penetration Testing

However, the most common model of penetration testing, an annual engagement, has a few issues:

• Penetration tests are inherently a point in time assessment of limited scope. Applications can change a lot over the course of a year so vulnerabilities can lurk for months before they’re found. 
• The logistics of most penetration testing engagements don’t allow testers to probe every single component of an application. Instead, the testers will likely start looking for common issues first and then hone in from there. Again, this means issues can persist for months even years because a tester never had the time, reason or resources to look.

The Advantages of Bug Bounties

Where penetration testing struggles is also where bug bounties shine. 

• While a penetration test may last a few weeks the bug bounty is always available. CDD maintains a dedicated bug bounty instance of Vault so our bug bounty participants, called hackers, can always work. 
• New features are tested as soon as they’re released which reduces the timeline for a vulnerability’s introduction to resolution from months to days. We even pre-release features to our hackers which allows us to resolve issues before they are ever deployed to production.
• Without a deadline, hackers have the freedom to test every component of the application from every possible combination of user role, Vault membership, etc. to find the most nuanced vulnerabilities.

There are no “one size fits all” fixes in security. CDD is committed to security which is why we engage traditional penetration testers and invest in a high functioning bug bounty program to provide a multifaceted approach to external testing. 

If you’d like to participate in our bug bounty, please see our Knowledge Base article. If you’d like to learn more about CDD’s security, please see our Security Policies page or our Trust Center.