Performing a pen test or having a bug bounty program is not a hard requirement, but you must show good technical vulnerability management.
In other words, there needs to be a tool in place for external vulnerability scanning (a pen test or bug bounty program would cover this). Your auditor will want evidence of a vulnerability scanning tool and that you are remediating any detected vulnerabilities within your SLAs.
Vanta (and auditors) recommends conducting an annual external pen test, as it’s a reasonably easy control to implement. If you already conduct annual pen tests, you do not need to put a bug bounty program in place (and vice versa).
In need of a pen test or bug bounty program provider? Reach out to firstname.lastname@example.org for an introduction!