How Commercial Bug Hunting Changed the Boutique Security Consultancy Landscape
It’s been almost 10 years since the first commercial for-profit bug bounty program was launched. Bug bounty programs have transformed the information security sector, and its negative impacts have been advertised as driving down companies’ consulting rates and raising ethics questions within the cybersecurity community. However, boutique security consultancies, particularly those that offer penetration testing and reverse engineering services, haven’t lost consultants at an alarming rate, nor have these small consulting companies experienced a decline in hourly rates.
Instead, boutiques began to reposition their attack-based services, doubling down on the value of combining reverse engineering and code reviews to uncover bugs in a more efficient manner than bug bounty programs. They used bug bounty programs to their advantage, using the results of the programs and competitions as a vehicle for recruitment. A ramification to this is that new stars on bug bounty leaderboards often disappear when they get hired as consultants within these boutique security consultancies. Although crowdsourcing bug bounty programs will continue to a valuable asset to enterprises, experts maintain that reliable support from consulting companies will remain essential to the security process.