Performing a pen test or having a bug bounty program is not a hard requirement, but you must show good technical vulnerability management. 

In other words, there needs to be a tool in place for external vulnerability scanning (a pen test or bug bounty program would cover this). Your auditor will want evidence of a vulnerability scanning tool and that you are remediating any detected vulnerabilities within your SLAs. 

Vanta (and auditors) recommends conducting an annual external pen test, as it’s a reasonably easy control to implement. If you already conduct annual pen tests, you do not need to put a bug bounty program in place (and vice versa). 

In need of a pen test or bug bounty program provider? Reach out to support@vanta.com for an introduction!