What is the difference between a bug bounty and a vulnerability scan?

Imagine a house that you want to insure:

 

An automated vulnerability scan performed as part of a serious website security audit (we call this an "AI scan") would be like a security robot that systematically walks around your house every day looking for known vulnerabilities: loose windows, weak door locks, or broken alarm systems. The robot knows a list of common problems and checks them methodically. It is very thorough with known vulnerabilities, but can only find what is in its database.

 

Our bug bounty program, on the other hand, is like hiring professional burglars and telling them, "Try to break into my house. If you find a vulnerability that I don't know about, you'll get a reward." These "ethical hackers" think creatively and can find unusual ways to break in that an automated scan would never think of. Maybe they discover that you can climb up the tree to get to the roof and into the house through the chimney, or that the smart doorbell can be hacked.

 

The combination of both approaches is ideal:

• The automatic scan runs continuously and reliably finds known problems

• The Bug Bounty "hackers" bring human creativity and experience to discover hidden or new vulnerabilities

 

It's like double protection: the machine does the routine work while people look for the more difficult problems.