How the Government Should Use Bug Bounty Programmes

Home/Case Studies/Cyber Security/How the Government Should Use Bug Bounty Programmes

In 2017, a hacker broke into the database of Zomato, India’s largest online restaurant guide, and accessed five vital details – names, emails, numeric user IDs, user names and password hashes – of around 17 million users. The hacker then offered up the details for sale on the darknet before entering into negotiations with the company. The incident set alarm bells ringing in the country’s cybersecurity network as internet users often use the same passwords for multiple accounts, including social network sites, mailbox services and banking applications.

Soon after, Zomato posted a series of blogs with details about what had gone wrong. It also said the security breach, in this case, was the work of an “ethical hacker” who merely wished to draw the company’s attention to the vulnerabilities of its database and to convince it to launch a bug bounty programme – thus reviving focus on a subject that has gained prominence in the field of global cybersecurity in the past six-seven years.

A bug bounty programme, also known as a vulnerability reward programme, is a deal offered by some websites and software developers under which individuals can receive remuneration, in cash or kind or in terms of recognition, for reporting bugs. While many companies, including Google, Microsoft and Facebook, have invested millions in bug bounty programmes, government and security agencies in some countries, too, have been experimenting with these over the past year. Last year, the United States Department of Defence launched a bug bounty programme titled “Hack the Pentagon”, the federal government’s first bug bounty initiative, followed by “Hack the Air Force” launched in April. Both were launched on the platform HackerOne, and Zomato has said it will be introducing its bug bounty programme on the same platform.

In India, even Union ministries and elite security agencies, apart from government bodies, have been victims of a wide range of cyberattacks, from website defacement to ransomware. On multiple occasions, including one reported in April, websites of government agencies and universities in India have fallen prey to mass cyber attacks allegedly executed by groups of Pakistan-based hackers. However, cybersecurity experts said the government agencies are still oblivious of the bug bounty experiment on the ground.

“Bug bounty programmes have been effective worldwide,” said Pavan Duggal, an advocate and expert in cybersecurity. “Global giants are investing in bug bounty programmes today and it is high time government agencies in India also considered it.

Indians top bug hunters
While the thought of government agencies in India investing in bug bounty programmes might still seem farfetched, the country happens to be the largest contributor of bug hunters worldwide, according to various security researchers and a report published by leading bug bounty platform Bugcrowd. Indian hackers top the charts globally both in terms of numbers and payout. For instance, Facebook invested around $5 million on bug bounty programmes between 2011 and 2016 and the top three countries based on the number of payouts were India, followed by the United States and Mexico.

“It appears that the Indian government lacks the will to invest in cybersecurity,” said Kislay Chaudhary, a cybersecurity expert and consultant to several Central government agencies. “The global figures also indicate that India is a bank of talent in the field of cybersecurity. If only the government had the will to utilise it.”

Some bug hunters provide their services for free to non-governmental associations. At times, they receive gifts or merchandise as a token of gratitude, said an ethical hacker who did not wish to be identified. He added that all it takes for a website to open itself up to a bug bounty programme is to put up a notification and to collaborate with a bug bounty platform.

But many organisations, including government agencies, refrain from doing so fearing two things.

Chaudhary explained, “First, they feel that an open bug bounty programme will attract more black hats [hackers with malicious intentions] to the website.” He added, “But what they fail to understand is that an unchecked and vulnerable website can be targeted by black hats anyway and at any time, despite having experienced that on multiple occasions.”

According to Vineet Kumar, a cyber expert and consultant to several government agencies, the other reason could be a matter of investment. “There is a perception that making oneself available for a bug bounty programme would imply one’s failure in investing enough in cybersecurity through internal resources.”

Better late than never
Despite the reluctance, there has been a gradual acceptance of cybersecurity measures by government bodies in recent years. Kumar said that in the last two to three years, some government agencies have opened their websites up to checks and challenges periodically (mostly once a year) in collaboration with private partners. “These are not exactly bug bounty initiatives but at least they make the effort to invite programmers, cybersecurity experts and hackers to examine systems for a limited time period and point out vulnerabilities and give solutions. One example would be the India Smart Grid Forum [a public-private partnership initiative of the Union Ministry of Power for development of smart grid technologies in the Indian power sector].”

The cyber expert added, “Investing in bug bounty programmes is far more economical than investing in periodic cybersecurity audits or employing ethical hackers for bug hunting round the year.”

Kumar’s Jharkand-based non-governmental body, Cyber Peace Foundation, wants to organise a cybersecurity challenge later this year to emphasise the role and importance of bug bounty programmes among other security measures and is currently in talks with some Central government agencies regarding this.