Independent reference. Not affiliated with any vendor listed.

$ diff --left=pentest --right=bug-bounty

Two different procurement models for offensive testing. Different cost shape, different deliverable.

$ answer --question="Should I run a bug bounty instead of a pen test?"

No, not instead. Bug bounty is a continuous, results-based, variable-cost programme that pays only when a researcher finds something. Pen test is a fixed-scope, time-boxed engagement that produces an auditor-acceptable attestation. Compliance frameworks (PCI 11.4, SOC 2, ISO 27001, HIPAA, FedRAMP) generally expect the pen test; bug bounty is additive.

Last verified June 2026

$ stat --slot=1
Fixed
Pen test budget shape
Quoted SOW or subscription
$ stat --slot=2
Variable
Bug bounty budget shape
Bounty payouts on validated findings
$ stat --slot=3
1-2/yr
Pen test cadence
Typical compliance pattern
$ stat --slot=4
Continuous
Bug bounty cadence
Always-on programme
$ left --vendor=pen-test
Pen test

Fixed-scope, time-boxed

Quoted up-front, delivered as a report. Attestation letter satisfies compliance frameworks. Predictable line item.

$ right --vendor=bug-bounty
Bug bounty

Continuous, payouts-only

Platform fee plus per-finding payouts. Researchers worldwide submit findings; you pay the validated ones. Highly variable monthly spend.

$ heatmap --features

$ heatmap --rows=6 --cols=2
CapabilityPen testBug bounty
Predictable budget
Continuous coverage
Compliance attestation letter
Pay only for validated findings
Scope-controlled testing
Brand visibility (public programme)