Bug bounty programs: A tool you should have in your cyber security arsenal

Caleb Queern reviews the bug bounty programs as a way to find vulnerabilities in your internet-related infrastructure quickly and at the lowest cost possible.

Looking for a way to find bugs and vulnerabilities in your Internet-related infrastructure as quickly as possible, at the lowest possible cost? Bug bounty programs may well be a valuable solution your information security team should embrace.

Bug bounty programs leverage the available time of highly talented, non-employee security researchers to identify and responsibly inform you of information security issues they find on your terms.

While the original "Bugs Bounty" program was created back in 1995 by a technical support engineer at Netscape Communications Corporation, the concept more recently gained attention from information security executives and professionals.

In this first of two podcasts on bug bounty programs, Caleb Queern, a security services-focused member of KPMG’s Advisory group, sat down to discuss:

  • the three players in the bug bounty ecosystem
  • the misconceptions about bug bounty programs
  • appropriate bug bounty scope, including websites, application program interfaces (APIs), and Internet of Things offerings.
Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US