The Swiss government has recently invited security researchers to undertake a public intrusion test on their e-voting system ahead of the elections later this year. The testing period will run for one month, ending on 24 March and participants are eligible for up to £39k for identifying major vulnerabilities. A total pot of £119k is available.
Bug bounty programmes are everywhere. Google, Facebook, Yahoo, Tesla, Microsoft, Vimeo, Dropbox, Cisco and even the Pentagon run programmes. Two heads are better than one, and what better way to test your system’s security than to crowdsource creativity to a band of willing researchers with the know-how to attack your systems. But it does it make the grey area between black hats and white hats that little bit shadier?
Do rewards legitimise grey hat hackers?
In a world where organisations continue to prosecute grey hats, are rewards giving mixed messages? An ‘ethical’ hacker is currently on trial, and facing eight years in prison, for allegedly breaching the network of Magyar Telekom, the largest telecoms company in Hungary. Although his intentions appear to be good, Magyar Telekom did not appreciate the unsolicited input and his actions were ultimately illegal. And they aren’t the only organisation to feel that way.
It’s not just the age old debate of ethics and permissions, it’s one of practicality and pragmatism. Organisations such as HackerOne and BugCrowd, not only centralise the process and connect skilled resources to bug bounty programmes, they also vet the researchers. Let’s not forget that hacking is a serious business, and someone who doesn’t know what they’re doing can cause serious damage.
But rewards don’t exist exclusively through bug bounty platforms – and importantly, anyone finding a vulnerability is eligible. When a high school student recently made Apple aware of their now infamous FaceTime bug, they rewarded him and offered financial support for his education. There’s nothing to stop an opportunist bug hunter, of any skill level, from reaching out into cyber space like a prospector looking for gold. For those who strike lucky, bug hunting has the potential to be lucrative. But with financial rewards available, it also feels like a slippery slope to ransomware - and the starting bid’s been conveniently pre-priced.
Is this the future of pen testing?
Software development has always been a collaborative space, and sites to connect open source programmers have historically formed a large part of that. So it’s no surprise that security testing has become equally as collaborative. Many heads are better than one, and it will interesting to see how this shapes the approach to security testing in the future.
The Swiss government will make its future e-voting system available for a public intrusion test and is now inviting companies and security researchers to have a go at it. "Interested hackers from all over the world are welcome to attack the system," the government said in a press release. "In doing so, they will contribute to improving the system's security."