March 01, 2013 I was at nullcon 2013 in Goa and as the CTF/Jailbreak contests were coming to a close, there was an announcement - some Government officers attending the conference wanted a piece of malware analyzed and were willing to pay 25k bounty. Excitement all around ! Me too saying a silent prayer - Thank God the elephant awakens.
To cut a long story short, [a] the bounty was raised to 50K (25 day 1 and 25k day 2) [b] by the same time next day two teams had done the analysis and one of them got 37k with the other getting 13k.
The media covered the event as a botnet takedown and many members of the India Information Security community and some from the international community screamed blue murder. The naysayers talked about the lack of ethics and knowledge among the Indians to undertake such activities. Some made the point that the international community must be taken into confidence for such actions.... much more. I was part of some serious conversation with professionals overseas and managed to explain the facts and the distorted media coverage so it did settle down. Unfortunately members of the community in India are still keeping the fire burning and this has to be addressed soon to be doused.
OK to come back to my main subject - bounties are a good thing to happen to the country and I hope the government departments will keep their pockets open.
The simple 50k bounty must have saved that department a lot of headaches:
- malware analyzed in about 15 hours which may have taken 3 or more days.
- analysis done while attack was on and this was done manually.
- they paid only 50k = $ 1k which is chicken feed money.
- they identified 20 good guys who can be hired or called upon.
Imagine if a corporation pays a bounty how can it benefit in the same manner but Indian companies are yet to realize this.
With the government having taken the lead in offering a bounty I hope that this will be a regular program as it will help raise the interest level in the community as well as contribute as a "public-private partnership" model.
Companies all over the world are offering bounties and many Indian ethical hackers (young and old) are making good money. Google, Paypal, Facebook etc all have ongoing bounty programs and are paying out good dollar amounts. They benefit because they get legions of hackers trying to break their defences and discovering vulnerabilities which were otherwise not known. The bounty is always less than the commercial cost of discovery !
One may argue this is immoral and is akin to 'guns for hire' or making a generation of 'mercenaries' but this is the new age of thought. There is nothing immoral about this and it is a regressive thought.
My take is that first - the Government departments must all offer a bounty program ! This will make sure that the shoddy jobs done by IS auditors is exposed and Indian government sites will become more secure. Intelligence agencies are usually struggling to find good analysts and when they find them they cannot afford to hire them on annual terms - this is an easy way of getting tough jobs done. The agency pays a bounty to the specialist who is able to complete an analysis or reverse-engineer the malcode that has been put up.
All in a day's work !
Second - the corporations or business houses must accept that a breach or a hack is just like a disaster. And disasters do not warn you and there is no need to be embarrassed if hit by one. After all, if there is a fire or flood, you do not hide behind a 'ghoonghat' - stand up and declare the disaster and ask for help. Many Indian companies do not have the necessary in-house skills to respond to disasters like this and can take advantage of the bounty culture. Offer a bounty for the vulnerabilities that are found by ethical hackers and your own credibility will go high.
Another fallout of a bounty program is that it stops ethical hackers from crossing the 'lakshman rekha' to become blackhats. If he/she can make decent money in the country through bounty programs there is less reason for them to turn to criminal activities.
As I have said earlier, many in the profession may argue about the ethics of offering bounties and the risk of turning rogue. Or the risk of messing up someone's systems. These fears are unfounded when you consider that there may be an unethical hacker from a foreign country who will find and exploit the vulnerabilities and inflict more damage !
So in the end - what do you want - attract your own country talent to find and report any weaknesses in your systems or some firang coming in and bringing your system down just for a few bucks.
It's a new age and it requires new thinking, it requires you to take action in a new manner. So, go Government of India, go - it's been a while since something proactive happened from your end ... just move on and make an official program and announce it - this will certainly get good karma from all over.
And naysayers can remain at their desktops and continue to fret and fume :)
Labels: bounty program, ethics, government of india, info security, morals