Interview on the “SCS in a nutshell” channel about penetration testing versus bug bounty programs

Swiss Cyber Storm and their host Christian Folini invited freelancing Bug Bounty hunter Raphaël Arrouas and Pentagrid’s IT security analyst Tobias Ospelt to an interview in the „SCS in a nutshell” format about the pro and cons of penetration testing and bug bounty programs. While both approaches are valid methods to find security vulnerabilities, they also differ in many aspects.

The interview began with a discussion about the trust in the maturity level of the Bug Bounty program owner’s security and the necessary trust in people knowing about an organisation’s vulnerabilities. The interview continues with the flexibility on defining rules and scopes, the freedom of picking a scope and about private bug bounty programs, a new format with increasing prominence. The pros and cons of the different economic twists, where a company rewards only identified vulnerabilities versus paying for work time are discussed as well as the visibility and significance of pentest and bug bounty results and their internal processing within a company.

In the conversation, the security researchers’ risk to violate the hacker paragraphs StGB 143 and 144 in Swiss law is also highlighted, because the law disregards researchers and bug bounty hunters acting in good faith.

The whole interview discussing additional topics runs for about 45 minutes and is available via the Swiss Cyber Storm Youtube channel.