While bug-bounty programs may seem like a cure-all solution for companies looking discover vulnerabilities in their systems more efficiently, the fact remains that a program could overwhelm a firm’s internal security team and cause other major headaches if implemented the wrong way.
“You have to realize that the crowd is going to find a lot more vulnerabilities than your typical in-house pen-test team. So oftentimes, there’s this engineering push back, like hold on, we don’t have our internal processes set up,” David Baker, chief security officer at Bugcrowd told Threatpost.