No, it’s not a hard requirement to perform a pen test or have a bug bounty program, but you need to show good technical vulnerability management.
In other words, there needs to be a tool in place for external vulnerability scanning (a pen test or bug bounty program would cover this). Your auditor will want to see evidence of a vulnerability scanning tool and that you are remediating any detected vulnerabilities within your SLAs.
Vanta (and auditors) recommends conducting an annual external pen test, as it’s a reasonably easy control to implement. If you already conduct annual pen tests, you do not also need to put a bug bounty program in place (and vice versa).
In need of a pen test or bug bounty program provider? Reach out to your Customer Success Manager for an introduction!