Just for reference, the former example you give is just a bug bounty as far as I can tell.
The discussion of relative merit of bug bounty versus a pentest is well trod ground, so I won't rehash here except to say I would never consider a bug bounty replacement for a pentest, and if you're asked for a pentest report as part of third-party vetting etc. many organizations will be concerned to see a bug bounty program compiled report.
The latter example sounds like https://cobalt.io/. I've seen several reports and all I can say is if I were vetting a third-party or otherwise looking for assurance of security posture I would still want to see a "real" pentest from a reputable firm.
was going to say similar things. A bug bounty has value -- and its effectively to incentivise someone who finds a vulnerability to tell you, rather than exploit it or sell it to someone who will exploit it. Its the same as a pen test.
I dont want to name companies and start a war, but the industry is moving in a dangerous direction with some of the other options -- there are companies offering pen testing where those companies have no full time employees. They post the scope, and their registered users can sign in, take the work, and deliver it. Quality is all over the place. And things like confidentiality, data processing, etc, and any way to confirm a corporate entity adheres to their contractual obligations? Nonexistent.
The discussion of relative merit of bug bounty versus a pentest is well trod ground, so I won't rehash here except to say I would never consider a bug bounty replacement for a pentest, and if you're asked for a pentest report as part of third-party vetting etc. many organizations will be concerned to see a bug bounty program compiled report.
The latter example sounds like https://cobalt.io/. I've seen several reports and all I can say is if I were vetting a third-party or otherwise looking for assurance of security posture I would still want to see a "real" pentest from a reputable firm.