The first sign of the bug hunting program dates back to 1996 when one of the most famous mathematicians and computer experts of the last century, Donald Knut decided to give $2.56 to each attentive reader for each error found in his most famous book, The Art of Programming. Once started as a game, today bug hunting is an independent trend — in demand and useful.
Today the largest tech giants, such as Google, Facebook, Tesla and Microsoft have their own programs for finding vulnerabilities in their own products. They have their own vulnerability disclosure policies or bug bounty programs rewarding hackers for different types of vulnerabilities found. There are even special standards that companies can use for setting up vulnerability disclosure and vulnerability handling processes such as ISO/IEC 29147 – Vulnerability Disclosure and ISO/IEC 30111 – Vulnerability handling processes.
Take a look at the list of initiatives and bug bounty programs in different states.
The US Department of Defense launched the “Hack the Pentagon” bug bounty pilot program, which was first announced in 2016. The program ran from April 18, 2016, until May 12, 2016, and exceeded all expectations. More than 1,400 specialists took part in the Pentagon’s project. 3,000 vulnerabilities were uncovered with more than $330,000 paid out to ethical hackers. Former Secretary of Defense Ash Carter said that if the DoD had gone about finding those vulnerabilities in a normal way it would have cost more than $1 million.
Following up on the success of Hack the Pentagon, another bounty, Hack the Army, was started in November 2017. The program included hundreds of hackers who found more than 100 unique bugs and received about $100,000 in total payouts.
Moreover, the White House took an important step to harden US cyber defenses. The president signed the SECURE Technology Act, which instructed Department of Homeland Security to set up a program to crowdsource hackers from outside government to participate in a bug bounty program.
In February 2019, the Swiss Post announced that it’s launching a bugbounty program, in which ethical hackers can test the Swiss e-voting system. Participants were checking for overload attacks, social engineering, and the reliability of the security mechanism. The program was in effect for a month — from February 25 to March 24, 2019. The results of the intrusion tests will be used for the development of the e-voting system. Out of the total $250,000 designated for this project by the government, $150,000 will be distributed to the Swiss cybersecurity firm that helps run the bug bounty program, and the rest would serve as bounties for the researchers who found vulnerabilities. The Swiss Post is going to pay for the intrusion into the e-voting system, corrupting votes or rendering them unusable, a successful attack on voting secrecy on the servers, manipulation of votes detected by the system and undetected manipulation of votes. At this moment 67 reports were submitted.
More than 400 specialists took part in the Singapore government’s project. Four large parties initiated the program: Gov.sg website, Ministry for Communications and Information’s Press Accreditation Card online, the Ministry of Foreign Affairs website, and MFA’s eRegister portal. The program started on Dec 27, 2018, and finished on Jan 16 this year. 26 validated vulnerabilities were found where 1 was of “high severity” and 18 were evaluated as medium severity. All of them were fixed. The total bounty paid out was $11,750.
A vulnerability reporting service has been launched and running by the UK government’s web services since November 2018. The National Cyber Security Centre promises that anything reported will be disclosed. Currently, the government is working on a more transparent way for hackers to report vulnerabilities.
In January 2013 the Dutch government published a general guideline for Coordinated Vulnerability Disclosure. There is no information on how many hackers took part in bug hunting. Remarkably, the Netherlands are preparing their own vulnerability disclosure policy and everyone can take part in the bug hunting program.
Russia was interested in a similar initiative to search for vulnerabilities in the Russian government’s departments. Recently, the Ministry of Digital Development announced the launching of bug bounty programs for software that is in the domestic registry of the Russian Federation. So far the results of the program are unknown. Another initiative that took place was public testing of e-voting system.
The European Commission is looking for help from ethical hackers to discover security flaws in some of the most popular free and open source software.In 2015-2016, the European Commission started an initiative called FOSSA where they published a list of Free Software they used; later, the Commission conducted a public survey about what to audit. The results were Apache HTTP web servers and password manager KeePass, so they audited them both with a $1.15 million budget. 14 critical vulnerabilities were found in the KeePass manager.In December 2018, the European Commission started financing the FOSSA 2 bug bounty programs for 14 open source projects. The full list of programs includes 7-zip, Apache Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++ and other popular tools. These projects were chosen by a public survey as well.
The French Defence Secretary revealed that they will shortly launch a military bug bounty program. It was stated that at the end of February they are going to announce the first bug bounty of the MoD (Ministry of Defence). Ethical hackers were already recruited in the cyber operations research department and they’re going to track down the faults of the systems and be rewarded for it.
In Japan, the coordinated disclosure of vulnerabilities in products, such as software, is performed in accordance with the “Information Security Early Warning Partnership Guideline”. The recommended processes in the Guideline is in alignment with ISO/IEC 29147:2014 “Vulnerability disclosure”. Through this coordinated vulnerability disclosure process, a total of 1,504 reports have been published as of 30 September 2017.
Ukraine is joining the international community in tackling vulnerabilities through a bug bounty program. The Ukrainian government has announced the Hack Prozorro initiative, which invites hackers to find vulnerabilities in the state-run Prozorro e-procurement system developed by Transparency International and other NGOs to fight corruption. The actual hacking marathon taking place on September 21st. The amount of the rewards will be determined based on the severity of the found vulnerabilities.
A bug bounty program at a state level is something more than a search for vulnerabilities. It’s about patriotism and honor. There’s hardly a person who doesn’t want to be praised for being a national hero. The same thing is with bug hunting: thousands of white hat hackers are honored to help their countries improve security (not to mention that nowadays bug bounty is the only effective way to evaluate a system’s security level). Recommended To Read :
1. WHAT IS BUG BOUNTY?
2. GUIDE TO VULNERABILITY DISCLOSURE POLICY
3. TOP 5 BUG BOUNTY MYTHS
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.