Bug Bounty and India
CERT-IN should take the lead in demonstrating support for Bug Bounty hunters and BB Programs ……
The benefit of bug bounty programs to organizations is, by now, a proven fact. In fact the US Defense Department has allowed (friendly) foreign countries too, to participate in the bounty programs, and has extracted great benefit from the exercise. Unfortunately, in India, government and private sector entities look at bounty programs suspiciously and are reluctant to do start one.
Sadly, CERT-IN has done NOTHING to address this misconception and to promote this healthy practice which can help save a lot of grief for the Indian organizations. Many believe that CERT-IN is not doing this because the work done by the members of the “empanelled auditor club” may come under scrutiny!
Imagine the situation where a 10 yr old bounty hunter finds a major bug in a government site which was given a clean chit the day before! Who will take the hit to explain the oversight.
Frankly CERT-IN has a big task on hand and will also have to sensitize the country to the fact that bugs will continue to be found and such a situation wouldn’t imply lack of diligence on the part of the CERT-IN auditor.
Talk talk and talk…
Till date there have been gigabytes of discussions on bug bounty on the web, in print and in conferences but I have yet to see a position statement by CERT-IN. This is the sort of silence that is not expected from a CERT as they are expected to be at the cutting edge of technology. If you are supposed to be the emergency responders you HAVE to know it all… Hai na??
Not too easy! No one said anything is easy!! Welcome to life. I
What is the world doing
The US government is using bug bounty programs to reap the benefit of having the best brains in the world work for them, based on success fees. The same benefits are being reaped by the big and small corporations and this includes Facebook, Google, Microsoft etc.
What is expected from CERT-IN
Start by telling the government that bug bounty is not a bad thing and that it is one way to get the best brains in the country to work for them Tell the government and the enterprises that bug bounty hunters are not criminals who will compromise your systems (they are already compromised <LOL> and things can be worse).
That the bug bounty hunters are an ethical lot of highly intelligent hackers who (mostly) work independently – they are usually the best guys in the business. This talent is not available with the empanelled auditors and will be a bonus for the organization which is being tested by a bug bounty hunter.
In short do something to start this BB culture in the country so that we benefit with the talent of our hackers and the narrow mindedness of the Indian enterprises and government departments is cleared .
What do the Bounty hunters expect
There is a wrong misconception that the bug bounty hunters expect big $$$$ dollar payouts for their research and this is far from the truth. I have had a number of interactions with BB guys and they expect a “fair” payment.
Everyone knows that you cannot expect a $1k or $10k payment from an Indian entity but is more than willing to work for national good and accept lower payout. However, the request is that the payout should NOT be indecent because many have had experience of horror amounts like Rs 100 or 500 for services! This is a shame, for sure and no self respecting BB guy will ever work for s*!* so CERT should closely look at setting reasonable remuneration if it sets out to promote bug bounty culture in the country.
I must say that a number of bug bounty hunters may workpro bono and be satisfied by being mentioned on the Hall of Fame.
In any case there are many variations in the bug bounty scenario in the country, waiting to happen and it will be to the nation’s credit if CERT takes the lead.
The work environment that can be offered at CERT-IN will be highly challenging and intense. Anyone undergoing an internship in such an environment will gain valuable knowledge and experience, and can also be evaluated by CERT-IN for placement within or at any government department.
As such CERT-IN can start short term / long term internship programs (short term = 2 or 3 months and long term = upto 12 months). This program can be offered in collaboration with academic institutions and training institutions across the country; or they can get direct entries based on some sort of test. The program should not be restricted to tier 1 cities or ‘big name’ institutions as there is a lot of talent from all over the country. It is essential for the program to be well designed and should be planned with live exposure, industry visits, government department visits etc.
Who can Intern
The interns can be young professionals who are completing their graduate / PG program or employed professionals who are seeking change or seeking to upgrade their skills. The entry to the internship program can be based on an exam and interview.
What will the Intern learn
Oh CERT is the epicenter of cyber security activity and if the intern does not learn here then he/she will not learn anywhere and should just get out of the IS profession. It is my belief that the intern will learn a lot being exposed to threat intel operations, forensics, incident response, and much more.
Visits to various organizations as well as to government departments will expose the professionals to real world scenarios and provide them with the insight to develop their own analytical prowess.
An internship with CERT will be invaluable to any professional, in learning, as well as in his/her professional life.
(in fact I believe all regulatory institutions should start internship programs as this will help identify talent and sensitize them as they step into the profession)
Value for all
The CERT team will be able to identify talented professionals at an early stage who can be employed at CERT. In addition, these identified individuals can be directed to other government departments or private enterprises who will be able to employ them based on the confidence provided in the CERT evaluation.
As such, CERT will be able to identify talent that can be hired internally or be placed with other organizations. For the intern(s) this is a win win situation as he / she will be able to learn in a highly intense security environment and will obtain an evaluation by the most qualified institution in the country.
We end this piece on the hope that CERT will do something in this direction, creating and following a strategy and plan. We will be willing to help design the program and we do have a high level strategy / plan document which was made for Maharashtra Cyber Project.