Summary

This chapter discussed the criteria you can use to evaluate bug bounty marketplaces, programs, and individual pentesting targets. It covered different types of programs, their distinguishing features, and some of the basics of the bug bounties offered by Amazon, Facebook, Google, GitHub, and Microsoft, along with the learning resources and the general value of third-party bug bounty marketplaces such as Bugcrowd, HackerOne , Vulnerability Lab, BountyFactory, and Synack. It also went over the appeal of swag reward programs, the unique role of the Internet bug bounty Program, the nature of Coordinated Vulnerability Disclosure and the risks in using third-party brokers, along with how the Rules of Engagement/code of conduct for different bug bounty programs can differ. Finally, it covered setting up systems and processes within your own pentesting engagements to abide by those rules and protect yourself as much as possible.