The interest in the bug bounty programs as an innovative form of IT security testing is constantly growing, and therefore the natural question is: “How much do the services of bug bounty platforms in the world cost and which one is the best deal?” We compared platforms from Europe and the US to Hacktrophy for you.
When comparing, we focused on key parameters of bug bounty programs, such as the form of security testing, the number of ethical hackers, fees, and especially the cost of individual services. We compared these with Hacktrophy, both in the form of tables, as well as in a more detailed description of the versions of public and private bug bounty programs.
|Founded||Hacktrophy, 2017, SK||Testbirds, 2011, DE||Intigriti, 2016, BE||YesWeHack, 2013, FR||HackerOne, 2012, USA||Bugcrowd, 2012, USA||Zerocopter, 2014, NL|
|Pentests / Scans||yes (with with external partners)||yes||yes||yes||yes||yes||no|
|Bug bounty programs||yes, both private and public||yes (2), private only||yes, both private and public||yes, private only||yes, private only||yes, both private and public||yes, private only|
|Expert support||yes, in the package price or at extra cost||yes, in the price||yes, in the price||yes, external, at extra charge||yes, in the price||yes, in the price||yes, depends on the chosen package for an extra charge|
|Demo of services||yes (4)||N/A||yes||N/A||yes||yes||yes|
|Number of ethical hackers||650||300||3000||N/A||166 000||80 000||150|
|Prices of bug bounty programs||
€2,500 including rewards for hacker
from €15 000 + rewards for hackers
from 45 000 USD
from 24 000 USD
from €1000 + rewards for hackers
1. “Pentest” in this case means a one-off test of 2 weeks duration.
2. A combination of packages (pentests), which is an alternative to the bug bounty program.
3. One month long safety test that is an alternative to pentest.
4. In the form of an online sales representative presentation.
Surprisingly, there is not only the price but also the offer variety of individual bug bounty platforms. These vary in test options and variations but also in length and style of testing. Due to the diversity of individual bids, it would be inefficient to present these data in the table, so we briefly describe what the “bug bounty program” offers to companies operating in this area of IT security testing.
The Slovak bug bounty platform offers a variety of versions of public and private bug bounty programs. More than 500 ethical hackers registered with Hacktrophy are involved in the public ones, that are moderated by a moderator. An important advantage of Hacktrophy’s packages is that in one price they contain everything that is paid separately at competition – moderator, setup, or reward for ethical hackers. For special requirements, such as a test budget, companies can use a custom-made program.
The private bug bounty program engages 20 selected top and professionals with security clearance who can find a number of security vulnerabilities at an agreed time of 1 to 3 months. It also includes support for VPN testing or with other technological limitations. Since private programs are getting closer to the level of penetration tests, their price is even higher. However, we make sure that our clients’ overall safety testing costs are the lowest on the market.
In general, proces of bug bounty programs in Hacktrophy begin at € 2500 and are rising according to the nature of the test project. We will gladly give you more information about prices, do not hesitate to contact us.
An example of untraditionality in bug project bounty setting is a German company program. It offers its clients one kind of such service. This is a one-time security test that lasts for 2 weeks, it includes 20 basic testers and is available for different platforms (PC, web, apps, …). Testing includes the program management.
Interestingly, TestBirds does not offer any guarantees to find vulnerabilities. It may happen that after 2 weeks of testing, none of the twenty testers will reveal a bug or other type of security risk. The test price is 4000 EUR.
Belgian Intigriti builds a pragmatic bug bounty program. The offer includes 3 pricing packages, which are broken down to the specific client requirements and the number of testers. To make it not so simple, between the private and public bug bounty programs, there are 8 interlevels. Only managed programs are available. Their cost is € 15,000, € 30,000 or € 60,000 per year, paying for individual vulnerabilities beyond the price, along with a 20% margin for Intigrity.
French YesWeHack offers two types of bug bounty programs. The first one, referred to as the starter pack, includes a $ 6500 start fee (€ 1,500), a license fee of € 2500 valid for 3 months, or up to a level of 50 vulnerabilities found and a 2500 € credit for hacker rewards. In addition, the company charges a 10% fee for each paid reward. Prices are quoted excluding tax.
The second package offers a license for 1 year or 75 vulnerabilities (€ 10,000 excl. VAT), starting fee and 7500-euro credit for rewards. Even in this case, you must earn a tax and a 10% margin from each reward. Overall, the package will cost at least € 19,000 excluding VAT.
One of the biggest players in the bug bounty software market – HackerOne – offers just one type of bug bounty program called Bounty Pro Managed. With an unlimited range of testing, unlimited number of found vulnerabilities and 24-hour support from Europe, you’ll pay $ 30,000 a year. The package also requires a compulsory $ 15,000 credit for hacker rewards. In this case, a 20 percent HackerOne margin is also being taken directly from the credit. When your credit is spent in less than 12 months, you can increase it.
Another internationally active American company Bugcrowd offers a wide range of bug bounty programs. It distinguishes between private and public programs, and their price is the same – $ 24,000 per year. If you also want to purchase web or mobile application testing on the top of the basic package, get an extra $ 12,000 ready. In managed programs, they offer full customer support. The credit for hacker rewards has to be purchased separately, but the advantage is that BugCrowd does not charge any extra margin for the rewards.
A Dutch company that has been on the market for 4 years now offers 3 levels of bug bounty program. In the Basic program, you can test up to 3 webpages or applications with reaction response of 3 days for 1000 € / month. With Standard programs, you can count on faster responses (up to 2 days) for 2500 € per month and test up to 10 domains.
The highest Full program offers testing up to 25 domains or applications for $ 5,000 per month. The response time is 1 day and the offer also offers 24-hour support for 2000 € per month. For all ZeroCopter programs, the funds needed to reward hackers, to which the company adds no margin or extra fees, must be added. So the price can rise to several thousand euros.
One-off tests of online security
In addition to the classic bug bounty programs, we have also focused on alternatives to penetration tests, or private and time-limited bug bounty programs. See the types of one-off tests and the fees for each platform. The most expensive packages are offered by American companies.
|Lenght of the test||30 – 90 days||14 days||Unknown||90 days or 50 vulnerbilities||30 days||14 days||N/A|
|Price of the test||min. € 3500 EUR + rewards for hackers||€4000||based on specification, on demand||€ 4000 + rewards for hackers (€ 2500)||$22,000 including rewards for hackers||$10,000 + rewards for hackers ($15,000)||N/A|
|Number of testers||20 and more||20||N/A||N/A||According to test specification||15 – 30||N/A|
|Extra commission for the platform||20 % from hacker´s rewards
||No||20 % from hacker´s rewards||10 % from hacker´s rewards||20 % from hacker´s rewards||N/A||No|
The best offer among the bug bounty platforms
Although Hacktrophy is on the market for only a relatively short time, with its offer it is also a dignified competitor for companies that have been operating much longer in this segment. Our offer is developing together with our clients, but nowadays you have full-featured bug bug programs available. In addition to the low prices of the services we offer, we have greater variability. An advantage for Slovak and Czech companies can be domestic solution and support in Slovak or English.
Compared to competition, Hacktrophy’s offer is generally cheaper. To find out how much it would cost you to test your IT security in the form of public bug bounty programs or one-off security tests (private bug bounty projects), please do not hesitate to contact us.