Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Three completely different assurance models with overlapping names. Bug bounties are continuous, public, paid per finding, and skewed toward what's profitable to find. Pentests are time-boxed, scope-limited, paid per engagement, and skewed toward what's expected to be in scope. Internal reviews see the source and the design but lack the adversary's creative pressure. Knowing which assurance you actually need is half the security strategy.
A new SaaS startup with a public API and no security team: an external pentest costs 50k, finds the obvious. A bug bounty program (HackerOne, BugCrowd) is ongoing and pays only for valid findings — typically 10k each. Internal SAST + DAST catches a different class of bugs and is cheap to run. You probably want all three eventually.
Use these three in order. Each builds on the one before.
In one paragraph, contrast bug bounty, pentest, and internal review.
Walk me through standing up a bug bounty program for a Series-B SaaS company. What scope, what payouts, what triage?
When does a public bug bounty actively hurt your security posture, and how do you mitigate?