Governments Offering Bug Bounties for Vulnerability Detection

2021 was a record year for cyber threats, with both the number and severity of attacks reaching all-time highs. While organisations have been doubling down to secure their systems, vulnerabilities nevertheless slip through the cracks.

One of the increasingly common forms of security measures involved the collaborative approach of offering "bug bounties." A bug bounty is generally any program that offers a cash payout to third-party operators who report vulnerabilities to the organisation in question.

Currently, several major tech companies host various bug bounty programs that can actually be quite lucrative for security experts.

Apple is famous for offering payouts ranging from $25,000 to as high as $1,000,000 while Microsoft offers payouts to the tune of around $200,000 USD. Coinbase, the cryptocurrency exchange, made a payment this year of $250,000 to a journalist who identified a flaw in their interface, and in 2020, Google paid out a total of $6.7 million in bounties.

However, it's not only tech companies taking this approach. More recently, several governments have also taken this approach, offering their own reward programs for operators who collaborate rather than exploit.

Canada

In a May 2022 press release (in French), the government of the Canadian province of Quebec officially announced the launch of its Bug Bounty Program. Effectively, in order to boost the online security of government systems and IT assets, it is calling on ethical hackers and cybersecurity experts to help isolate flaws and vulnerabilities before they become exploited by other parties.

While the government currently employs a host of IT professionals, this open call can be answered by anyone interested in information security research. The hope is that this will present an opportunity for collaboration between highly skilled users in the province who are willing to band together to fight cyber threats to important public systems.

The bounty program itself will award collaborators monetary assets based on the vulnerabilities they discover. According to the tiers, payouts can range from $50 Canadian to as much as $7,500 based on the severity of the vulnerabilities.

USA

In December 2021, the American Department of Homeland Security launched its own bug bounty program that relies on fairly appealing payouts for vulnerabilities as well.

According to their press release, ethical hackers and collaborators can expect between $500 and $5,000 per bounty - again, depending on the severity of the issue detected. However, in order to submit, exports will need to have been vetted by the Department of Homeland Security.

The American announcement was hardly haphazard, as it came a day after administration officials publicly warned that hackers were attempting to exploit Java-based software vulnerabilities that infrastructure agencies were using. The department seems to be taking the program - along with cyber threats - seriously, as they aim to verify vulnerabilities reported within 38 hours and repair them within two weeks.

The Future?

It is not unlikely that more governments will begin taking a similar approach in the coming years. 2022 is looking to follow the trend of the past few years, with ever-increasing cyberthreats on the rise. In a way, offering bug bounties is a logical solution to bolstering the security of vulnerable (and critically important) systems, and further encourages collaboration between various operators in the wider security sector.

Considering building a new SOAR integration, upgrading an existing one, or designing custom playbooks? Metron has experience integrating multiple SOAR platforms and building custom playbooks. Metron is a development partner to leading SOAR platforms including Palo Alto Networks XSOAR, Splunk SOAR, and IBM SOAR.

If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to connect@metronlabs.com.