No, it’s not a hard requirement that you perform a pen test or have a bug bounty program in place but you do need to show good technical vulnerability management.
In other words, there needs to be a tool in place for external vulnerability scanning (a pen test or bug bounty program would cover this). Your auditor will want to see evidence of a vulnerability scanning tool, and that you are remediating any detected vulnerabilities within your SLAs.
Vanta (and auditors) recommends conducting an annual external pen test, as it’s a fairly easy control to implement. If you already conduct annual pen tests, you do not need to also put a bug bounty program in place (and vice versa).
In need of a pen test or bug bounty program provider? Reach out to your Customer Success Manager for an introduction!