How to maximize ROI of Bug Bounties and penetration tests

I’ve been doing security bug hunting, penetration tests and managing in-house bug bounty programs for various companies, for over half a decade already. During that time I learnt that it doesn’t really happen too often that hiring company knows exactly what to do with security engagements results.
I’d like to help and suggest what you can do to fully benefit from what you paid for.

FYI — Later in this post I’ll be using pentester/bug hunter interchangeably. Although I know there is a quite a difference between those professions, in a context of this article it doesn’t matter. Continue reading “How to maximize ROI of Bug Bounties and penetration tests”

BugBounties changed InfoSec world for better

Graphic from

Just four years ago, before that Bug Bounty madness started off for real, many companies had pathetic security posture. Okay, let’s be real here, most organizations, because many isn’t emphasizing enough. In just 4 years the raise of security awareness and general improvements of organisations security posture are really prominent.

I’ll show you proofs one day, I’m just lazy and can’t push myself to migrate bug reports in high profile companies from mail archive to the blogposts. But I promise to do it, so everyone can get a sense of how webapps world looked like just 3–4 years ago and how vulnerable everything was to anyone willing to spend a fifteen minutes looking for bugs. Continue reading “BugBounties changed InfoSec world for better”

Pentests vs BugBounty for startups and SMBs

I’ve been thinking quite a lot about coming up with a series of articles on how to secure small and medium organizations from the ground up. It was waiting for the right moment and it’s time to start it out, especially that very recently this question appeared on Peerlyst where I’ve put my $0.02 on that subject. So as there is a need for decent guidance, let me welcome you to first article from series “Securing the business from the ground up”. Expect more articles on subject similar to this.

I’ve seen many companies struggling with a choice between penetration tests and bug bounties, and in the era of overhyped BugBounty programs this is a big question, both for PR/marketing and security teams.
There are as many answers to “pentest or bugbounty” as many people you ask. Everyone has slightly different POV on this, so I suggest you to gather opinions from many people and decide yourself what works best for your business.
I want to approach this from a bit different angle than I’ve seen so far, so this should be an interesting read for you. Continue reading “Pentests vs BugBounty for startups and SMBs”