2. Pentesting vs Bug Bounty Hunting
While for pentesting we look at the application as a whole and we look from a general perspective for multiple errors, it has a more of a holistic approach. On the other end Bug Bounty is all about finding high level vulnerabilities that can actually create real damage and show how can it create that real damage. Bug Bounties are more of detailed/partial discoveries on a specific in scope discovery.
A. Impact is everything in Bug Bounty Hunting
B. Partial vs General
C. Compliance
Exhibit A
With a weak password policy is a perfect example to look at how bug bounty and pentesting is different. In case the web application exposes when we input wrong credentials that either the username or the password is wrong or for example if it gives us multiple login attempts indefinitely as a pentester we can say that okay "Guys you know this are bad practices because for our limited in house tests we might not penetrate the security of our system, but an attacker with countless of hours and infinite time to break the system after it's live it might cause some form of damage.". For Bug Bounty Hunters it is completely different as reporting ONLY this the company we are testing for might consider it a low level incident as we didn't show proof of the REAL DAMAGE a vulnerability like this might cause. In bug bounty testing we need to go the extra step getting the user access and finding for example if we can take over on accounts with higher privileges as mods, admins etc. We need to be able to show the impact that we make.
Reporting a general issue like Weak password Policy or Unlimited Login attempts does not suffice in a report for it to get approved. If it's WITHIN SCOPE for example to brute force that login we can prove that maybe we wrongfully get access to data or accounts we shouldn't be able to.
Exhibit B
If e discover that at cookies level there is an HTTP Flag set as pentesters we might say "Okay this is a potential vulnerability we should look into patching that" as Bug Bounty Hunters we need to answer to the question "How does that lead to potential exploitation of this software?".