|
|
|
|
|
|
by orborde
2009 days ago
|
|
|
As a company, why would I want to pay the hourly rate at all? Why not contract with a reputable bounty hunter, give them the level of access I'd give the hourly consultant, and pay the hunter bounties for what they find? Seems like that captures the "higher bugs per hour" advantage of the consultant while retaining the "you only get paid for directly producing value" advantage of bounties. |
|
|
The reason companies pay for app pentests and also run bug bounties is that the two modalities find different kinds of bugs. App pentesters generally get a lot of intel about their targets (source is not unusual). You're also getting a team with bios and a final deliverable that records the diligence work done, which is not an outcome you get with a bounty program.
But you can do things in between. It's not crazy to offer a gig to someone who has delivered a good finding on a bounty project. But you have to do something to incentivize them beyond what the bounty already does, and the most normal way to do that is to not make payment contingent.