Will $10K for a security audit be money well spent?

[Eric Mu]

So the company that I work for is interested in getting someone to perform an independent security audit - which has been demanded by our users for a long time. Today, I contacted someone I met briefly at a Bitcoin conference back in 2014. And he sent his quote within a couple hours (see the screenshot ) - I am curious as to if there are any industry standards in this area and if this service is overpriced or reasonable enough.

[NLNico]

To be honest, I don't know what normal rates are, but it doesn't sound too insane - especially if these are really "top" researchers. Although I am not sure what he means with packages (I would assume penetration test is just all kind of vulnerability tests on the whole target/site.)

The risk with such audit is that you don't know what results there will be. In theory the report could say "all good, nothing found" although that's an extreme example Because of that, a (public) bug bounty program is obviously "attractive" too, as you just pay for actual results/bugs (in theory starting such program is free.) But then there is no guarantee that experienced researchers will have a look at it and there is no real "report" for stakeholders/users. Also I would assume that with an audit you can trust the security company a bit more and give a bit more clues/information about the infrastructure and the researchers could be allowed to use tools that are normally not allowed within bounty programs.

So in the end up to you and the company you work for hehe.





But if you do happen to offer a bug bounty program (either after or without the audit), do let me know hehe.