Bug bounty programs: How to make them successful for your business

Caleb Queern reveals why it is important to define the scope and parameter of your bug bounty program and provides a checklist for success.

If your information security team recommends instituting a “bug bounty program,” they’re not advocating that you unleash hordes of hackers to find vulnerabilities in your Internet-related infrastructure. Rather, they’re suggesting a modern method of utilizing external, professional security researchers to help reduce information security risks.

While the goal of bug bounty programs is to provide “more eyes and hands on the information security keyboard” in order to quickly and cost-effectively identify and report bugs and vulnerabilities, their success is rooted in multiple factors.

In this second of two podcasts on bug bounty programs, Caleb Queern, a security services-focused member of KPMG’s Advisory group, sat down to discuss:

  • why it’s important to define the scope and parameters of your bug bounty program
  • why starting small and scaling up over time will reap the best rewards
  • a checklist for helping ensure bug bounty program success. These include pre-kickoff communications among development, operations, and customer service teams, the types and/or volumes of vulnerabilities you’re currently seeing, and the metrics you’ll use to demonstrate the value of the program to management.
Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US