In response to the news that a 19-year-old is facing a criminal charge for downloading files from Nova Scotia’s freedom-of-information portal, Aaron Zander, IT Engineer at HackerOne commented below.
Aaron Zander, IT Engineer at HackerOne:
“There are two issues at hand. The first, a teen was able to possess large swaths of Personally Identifiable Information (PII) that he shouldn’t. He was only able to possess this after Nova Scotia had incorrectly been populating these from an un-redacted database and never thought to check the information itself. They then posted all of these documents on the web publicly for anyone to grab, again un-redacted. The Nova Scotian government noticed a large amount of documents being downloaded by the teen, and then decided that he was in fact in the wrong, when it was the government who facilitated the download furnished with data they provided. There was no way for the teen to know what the contents of all of those documents contained when he initiated the download.”
When does/doesn’t a bug bounty make sense for a company?
“Organizations should at the very least implement a channel for responsible disclosure so that should a vulnerability like this exist, it’s reported to the people that can fix it and resolved before being exploited by a criminal. It doesn’t make sense for a company to always offer monetary incentives or bounties from the start. The key to successful vulnerability disclosure and bug bounty programs is being able to manage the volume of reports that come with them. Internal security teams must have a clear and proven process for validating and resolving vulnerabilities efficiently before they allow contributions from outside their organization.”
Are they fairly common now? Are you aware of any governments that use them?
“HackerOne has over 1,000 customer programs currently who have paid out over $27 million to hackers for helping resolve more than 65,000 vulnerabilities to-date. More and more companies are adopting vulnerability disclosure and bug bounty programs, especially following the launch of Hack the Pentagon in 2016. The U.S. Department of Defense, Singapore Ministry of Defense and European Commission all have programs on HackerOne.”
Does it make sense for a government to use this technique?
“Because government agencies are so targeted and house so much sensitive information, it’s absolutely important for them to at least have a channel for hackers to disclose vulnerabilities whether they reward bounties or not. The U.S. Department of Defense has run several time-bound bug bounty programs like Hack the Pentagon, Hack the Air Force and Hack the Army, while also maintaining a vulnerability disclosure program in the background, which welcomes submissions for anyone all over the world and does not offer monetary incentives. In the first year, the U.S. Department of Defense resolved nearly 3,000 vulnerabilities.”