[lbhdc]

This has been my experience as well. Our pentesters didn't really find anything. It really felt like box ticking. The deluge of people from hackerone found all sorts of little gaps they missed.

In the beginning we got a lot of false positives. Things like people creating two accounts and giving them both access to the same resource (a common task in our platform), and filing that as a bug. Probably half of our reports were like this, the other half were real bugs.

Over time the reports have dropped off, but still trickle in every now and again.

I definitely think the bug bounty was much more effective than the pentest at discovering vulnerabilities.

[pentest_newbie]

Can you provide some detail on (fixed/ongoing) cost associated with a hackerOne bug bounty program? Is this financially feasible for a small company?

[lbhdc]

I don't have visibility into all of the costs associated. We use the bug bounty product they offer, and we define how much we pay for various types of bugs, and what targets are in scope. You can also remove products from being in scope, so you have a few levers to pull to control costs.