Differences between a bug bounty and a client-initiated pentest

Before we jump into the core details, let's first understand these two mindsets: 

• Bug bounty pentest mindset: 
  • The aim is to find vulnerabilities that have an impact and fetch a good bounty
  • A complete assessment of the application doesn't need to be done
  • One bug is enough to qualify for a bounty
  • All the vulnerabilities in the application are not reported, only the ones found
  • There are no particular timelines; it can be done at the pentester's convenience
• Client-initiated pentest mindset:
  • The aim is to ensure that all the application processes and functionalities are tested
  • There is a limited timeline in which the whole application needs to be audited
  • There is no bounty or rewards
  • There is a need to ensure that all the vulnerabilities found by a scanner are validated and reported
  • There is a need to also scope the entire application by understanding all the inter-dependencies and ensure that endpoints are well protected, since there will be times when the backend applications, such as support, will not be made available to bug bounty hunters, but will be in a client-initiated assessment
• Common points in both the mindsets:
  • Must have the presence of mind to chain multiple vulnerabilities and cause a high impact on the underlying application
  • Also, ensure that the attacker is aware of all the endpoints of that particular application
  • Scoping of the entire application's presence and testing all the endpoints to find flaws

Take a moment to think about the differences between the two approaches. I'm sure you will agree that there needs to be two totally different mindsets while performing the pentest.