Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Internal bug hunts: Squashing security bugs on a budget

Pieter Ockers (Adobe)
3:50pm–4:30pm Tuesday, October 31, 2017
Teachable moments
Location: Sutton South
Average rating: *****
(5.00, 1 rating)

Who is this presentation for?

  • Security architects and directors

What you'll learn

  • Learn how an internal bug bounty program can help you find security flaws in your applications while improving the security culture at your company


Far too often, testing software for security flaws falls into the “nice to have” category, taking a backseat to the demands of the marketplace and inflexible feature release schedules. In addition to the expense of hiring an outside security testing team, testing for and fixing obscure security bugs hinders an engineer’s ability to put new code in the hands of customers. Fortunately, there is a workaround to this dilemma that promotes application security awareness while helping to reduce security bugs in your applications.

Internal bug hunts, in which employees compete for prizes by finding and reporting security bugs, enable security teams to harness the creativity and problem-solving skills of the workforce while reducing security bugs in their applications. Pieter Ockers explains how bug hunts promote a culture of security awareness by involving participants outside of the security team in a fun and challenging activity.

An internal bug hunt contest can you help you:

  • Find and remediate vulnerabilities before external entities can exploit them;
  • Provide a safe platform for your application owners to test for security bugs;
  • Promote application security awareness;
  • Engage employees outside of the central security team who want to explore the security domain.

Pieter details how to structure a bug hunt program, how to fund it, how to sell it to senior leadership and decision makers, and how to measure the impact.

Photo of Pieter Ockers

Pieter Ockers


Pieter Ockers is a senior security program manager and a member of Adobe’s product security incident response team (PSIRT). In an effort to bend the growth curve of application vulnerabilities reported to Adobe’s PSIRT by third-party security researchers, Pieter launched an internal bug hunt contest at Adobe as a cost-effective method to reduce security vulnerabilities while increasing security awareness and building a community of internal pen testers. Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.