[Tech Thoughts] DICT’s bug bounties and ethical hacking at a glance

The Department of Information and Communications Technology on January 14 released department circular HRA-002, which laid down the revised and consolidated guidelines, rules, and regulations on vulnerability disclosures and the country’s safe harbor policy and bug bounty program.

DICT Secretary Henry Aguda even went to the Rootcon hacking conference last year for the purpose of advertising this development, saying that the country’s hackers should be using their skills “to protect, not to destroy.”

To that end, the institution of the Safe Harbor Policy and Bug Bounty Program (SHPBBP) should be a welcome note for those with the right set of skills, as it tries to incentivize responsible cybersecurity disclosures for government services.

Let’s look at what this all means, especially if you haven’t heard of this development.

Ethical hackers, bug bounties, and safe harbor policies

Ethical hacking is the process by which a cybersecurity professional, also known as a white-hat hacker, identifies and helps fix vulnerabilities in apps, systems, or technologies before that vulnerability can be used maliciously by an unethical, or black-hat, hacker.

As such, ethical hacking simulates real-world cyberattacks to assess a system’s risks so the given systems can be improved upon or otherwise strengthened in security.

To make ethical hacking rewarding for white-hat hackers, bug bounty programs are organizational structures set up to assess and offer financial compensation for the work of uncovering and responsibly turning over vulnerabilities to the people developing the systems that have been hacked. This is so the security of said systems can be improved upon.

Bug bounty programs often come with protections for hackers to do their work.

These safe harbor policies are designed to protect white-hat hackers or security researchers from administrative, civil, or criminal liability should they find something in the process of hunting down bugs, so long as they properly disclose their research according to the specifics of a given bug bounty program.

What is DICT’s SHPBBP circular about?

The SHPBBP of the DICT outlines the protections and requirements needed to participate in the DICT’s bug bounty program.

Now, you might be wondering then if anyone can participate in a bug bounty.

For the purposes of the DICT’s circular, you have to, at the very least, be a professional cybersecurity researcher to participate. You also have to register yourself under a Know Your Contributor (KYC) procedure to even be eligible to get rewarded from a bug bounty.

Specifically though, the circular said it applies to the following:

• All national government agencies under the Executive Branch, including Government-Owned and -Controlled Corporations and their subsidiaries, Government Financial Institutions, and State Universities and Colleges, including those under the *.gov.ph domain and DICT-managed platforms;
• The Philippine Congress, the Judiciary, Independent Constitutional Commissions, the Office of the Ombudsman, and Local Government Units are highly encouraged to adopt this Circular;
• Private entities voluntarily enrolled under the DICT’s Public-Private Cybersecurity Partnership Program;
• Critical Information Infrastructure (CII) operators, as identified under the National Cybersecurity Plan (NCSP); and
• Cybersecurity Researchers that are responsible for identifying and analyzing potential threats to an organization’s network and systems.

Safe harbor protections will only apply, meanwhile, if you’re a security researcher who is testing only the systems declared within the scope of bug bounties; you do not commit any sort of unauthorized data exfiltration, alteration, or service disruption; you report vulnerabilities responsibly and privately to the DICT or the authorized entity; and you keep your findings private and do not disclose them until such time as the issue you’ve found has been resolved or you’ve been permitted to discuss it publicly.

How does it all work?

You may be curious how this works in practice, so here’s how it would generally play out.

A security researcher applies to join the DICT’s initiative through the Know Your Customer procedure mentioned above. They have to complete the entire process and be accepted to be eligible for cash rewards. Conflicts of interest — for instance, DICT personnel and third-party service providers engaged by the DICT — disqualify potential applicants from participating in these bug bounties.

The bug bounty program will have its bounties set by participating entities, namely the government agencies needing help, or government partners who want to set a bounty of their own. Funding to make this circular work “shall be charged against the existing budget of the covered agency or institution, and such other appropriate funding sources as the Department of Budget and Management may identify, subject to relevant laws, rules, and regulations.”

These bounties — including what sites or services and what aspects of those said sites and services are in need of testing — are listed on a vulnerability disclosure program portal (VDPP), a website dedicated to hunting the bugs and reporting them. This is hosted and maintained by the DICT’s cybersecurity bureau.

Bugs and issues properly reported to the VDPP can fall under four possible security scenarios ranging from Critical, High, Medium, and Low, with potential payouts based on industry rates depending on the reports and their severity.

The DICT’s cybersecurity bureau will validate the reports, and will give those with validated reports “appropriate certificate/recognition for the researcher’s contribution in reporting and/or
resolution of the validated vulnerability.” Private sector participating entities, after coordinating with the DICT cybersecurity bureau, may give appropriate monetary rewards or incentives based on the structured incentive mechanisms outlined in the VDPP.

Aside from monetary rewards, there is also the standing involved as responsible disclosures get some time in the government spotlight. Rewards include digital and printed certificates, public acknowledgment on the VDPP, and Inclusion in other DICT citations, as per the circular.

A much-needed development

A national bug bounty program with defined rules for engaging in the process is good news and a much-needed development in the cybersecurity space, as it should help incentivize ethical hacking in the long-run while improving government systems in the now.

If you’re a burgeoning cybersecurity professional, this can be a good way into the industry, so long as you know what you’re doing and do the work required for responsible disclosures.

Check out the circular linked here for details and get involved. You could be helping to improve government security from some bad people. – Rappler.com