Bug bounty vs pentesting - my experience
If you want to qualify yourself in cyber security by joining bug bounty programs, treat it like a pentest.
When starting a career in cyber security there are several ways to test your skills and gain knowledge for free while still looking for a role in the field, such as TryHackMe, HackTheBox, etc., and very commonly, us newbies try to qualify ourselves for a pentesting position by joining bug bounty programs.
But how much is this actually improving our pentester skills?
Don’t get me wrong, bug bounties are great! My first experiences with hands-on hacking happened thanks to Bugcrowd and HackerOne and I’ve learned a lot through them, but let’s face it: hunting bugs is way different from an invasion test.
When bug hunting, you are chasing any existing kind of impact in a confined scope and spending weeks working on a single vulnerability.
When pentesting, your client wants all vulnerabilities, risk to brute force attacks, undefined headers, and expired certificates, they are looking for assurance and everything matters in this case.
You can become the world’s best at chasing XSS but not deliver good security maturity to clients.
“What should I do then?”
Treat your bug bounties like a pentest! I’m aware it takes more time and effort, and when hunting we are usually concerned with delivering quickly, but it is a great way to develop and sharpen realistic techniques and getting closer to what will be done in a company.
Nevertheless, that’s what I’ve learned on my newbie road as a bug hunter who got to have a few opportunities with direct clients.