Should GOV.UK Run A Bug Bounty?
Cyber Security is of vital national importance. As the United Kingdom places more of its infrastructure onto the Internet, bugs and glitches go from minor inconveniences to full scale national emergencies.
Suppose, for a moment, that a hacker were to interrupt payment processing for banks, or tamper with the UK's water supply, or cut off the phone lines. The economic damage alone could run into the billions.
Anyone discovering such a flaw could illegally exploit it for their own gain, or sell the vulnerability to the highest bidder.
The computer industry's solution to this problem is the "Bug Bounty". Any security researcher / hacker who finds a security bug in, say, Facebook - is then able to disclose that bug directly to Facebook in return for cold, hard cash. And a generous "thank you" note. This provides an economic incentive to find and safely reveal bugs.
Some companies band together to provide bug bounties for critical Internet infrastructure. The giants of Capitalism banding together in Socialism to protect their interests. Lovely!
Ideally, I think, Governments should compel businesses to provide bug bounties. Think of it like a form of punitive fine - inapplicable to responsible companies. Force the privatised utilities, large companies, and infrastructure providers to pay up for security flaws in their software and hardware.
It's not so unreasonable; the Government already fines companies for breaches of the Data Protection Act - so why not fine companies for breaches of a future "Computer Security Act".
But that will be a long time coming. Let's start closer to home.
Why doesn't the UK Government offer a bug bounty for its services?
Imagine that you've just found a gaping huge security flaw in HMRC. With a single command from your computer, you can subtly alter your tax status - or see how much tax an individual has paid - or erase evidence that someone has paid their owed tax.
Ignoring the illegal aspect of acting on your findings - where's the incentive to responsibly report the problem? After all, you'd get a huge pay-day from selling it to the criminal underworld.
Let's step back a bit - how would you even successfully report your findings to the Government?
Assuming you've even heard of Office of Cyber Security and Information Assurance the only way of contacting them is via email. They don't offer a PGP key, so there's no way of contacting them securely. Oh, and based on my experience, they don't reply.
One could also try contacting the affected Government agency. But again, based on my experience, they won't have the first clue of how to respond to a reported security flaw.
Finally, one could try escalating to GCHQ's GovCertUK - the security agency charged with protecting vital national computing infrastructure. They do offer a PGP key - but its validity expired at the end of January 2014...
Wouldn't it be brilliant if our shiny new GOV.UK were to offer an easy to use form for reporting security vulnerabilities? Obviously, they would need a team acting as a clearing house for all the reports they receive, and the legal authority to test the vulnerabilities reported.
Finally, if a bug was found within the Government’s IT infrastructure, they could force it to be fixed and offer the reporter a suitable reward. It needn't be monetary, of course, it could just as easily be a medal, an honour, or a Peerage - whatever they deem suitable for strengthening the nation's security.
Is this something the Government should be involved in? Or should citizens simply exhaust themselves trying to report bugs with little prospect of them being fixed and no prospect of a "thank you" - let alone a reward?
Without a bug bounty, what incentive does the Government have for keeping its electronic infrastructure secure? Or do they just believe that the "stick" of criminal sanctions is larger than the carrot of rewarding decent behaviour?
Aaron Bassett (@aaronbassett) says:
I once contacted a local government agency to ask about a bug bounty program after finding a vulnerability in their website which would not only allow me to steal login credentials for their site, but also single sign-on credentials giving me access to many other government websites in the country for the targeted user. Their response:
"Many thanks for your email. All IT and security systems for [redacted] are outsourced to another company. I am sorry that we are unabel to assist you further."
Phil Beesley says:
Bounties can be counterproductive. I've experienced test environments where paying a prize to the most prolific bug reporter discouraged participation; some testers, who had assisted believing it was a worthy thing to do, declined to participate when offered the chance of winning a £50 book token.
A lot of bugs are quietly reported by hackers and crackers in order to gain recognition by their peers -- or some publicity for their computer consultancies. The problem is creating an environment in which bugs can be reported without fear of investigation for doing the right thing. Secondary to that is confidence that the problem will be addressed.
But you are absolutely spot on that UK government does not have a clue how to respond to bug reports. Apart from big orgs like Google and Facebook, or small development teams, who does have a response mechanism for bug reporting?
himal said on twitter.com:
MOD ran a limited bug bounty programme but not sure if this will turn into something long term:
civilserviceworld.com/professions/ar…
Dr Jacqui Taylor | Smart City Tsar said on twitter.com:
Necessary 8 years ago as you suggested vital now