404 Not Found: Vulnerability Disclosure in the Philippines
A bug is a vulnerability within a software or hardware that gives cybercriminals an opportunity to carry out malicious activities, potentially causing severe financial and reputational damage.
Lack of Vulnerability Disclosure
Vulnerability disclosure is the process of bringing information about flaws in operating systems, applications, firmware and business processes into the public domain. The purpose is to ensure that product vendors fix the flaws while users can mitigate them before those same flaws are also found and exploited by bad guys.
We could have avoided Biggest Data Breaches in the Country if there is a platform or channel where Security Researchers can report Vulnerabilities, frankly we don’t have one.
Most of the data breaches in the country were reported before it occurred, But In the Philippines when you reported a Vulnerability to a Vendor, Organizations, or a Government Sector there is always tension and unease why? They will always bring up the Republic Act No. 10175. A colleague of mine was almost sued by a Big Corporation for reporting vulnerabilities on their Food Ordering Website which was brought Down by the National Privacy Commission later on.
Instead of creating researcher friendly policy for vulnerability disclosure, many companies and government agencies would rather scare the researcher than dealing with it, until it’s too late. Instead, helpful hackers who “see something,” usually don’t “say something” because they were afraid that it might land them in jail.
This reality is dramatically shaping cyberspace. Presenting a pressing challenge that organizations, businesses, governments must all understand to solve.
Let’s keep in mind that everything is hackable from a wireless doorbell to devices like Internet-connected cameras, radios, and Industrial control systems.
Reporting these flaws is critically important. Failure to do so gives malicious hackers the means and opportunity to hide and strike from the shadows.
Bug Bounty Programs
The objective bug bounty programs is to collaborate with the security community to hack products and websites within a defined scope and encourage them to report any findings to the company or organization. This gives them a chance to ethically hack real-world targets using methods normally used by black hats while receiving monetary rewards.
In 2019 the Singapore Government partnered with Hackerone to Invite Security Researchers to hack their systems. It’s a three-week challenge inviting international and local ethical hackers to discover and disclose security weaknesses across 12 internet-facing government Information and Communication Technology (ICT) systems, digital services and mobile applications with high user traffic.
In exchange for finding valid weaknesses, hackers will earn monetary rewards ranging from $250 to $10,000 based on the severity of the discovery.
Their first bug bounty challenge was launched in December 2018 and saw participation from nearly 400 participants internationally who discovered 26 vulnerabilities and earned $11,750 in bounties.
Google, Yahoo, Facebook, United States Department of Defense (Hack the Pentagon) and many others have successfully adopted vulnerability disclosure and bug bounty programs. This greatly impacts their ability to keep their products, infrastructure, assets, employees and customers secure.
For businesses and organizations, this advantage means they are generally only required to pay out per vulnerability or depending on the program terms, reward the researcher some swags and sometimes not pay at all.
This massively offers businesses and organizations an opportunity to fix a reported vulnerability that existed unknowingly before being utilized by malicious hackers.
Previous Data breaches have taught us the important role of ethical hackers in any organizations. Not all hackers are bad, let’s keep that in mind.