Successful crowdsourced testing of information security at the Ministry for Foreign Affairs – bug bounty program to permanent use

The Ministry for Foreign Affairs organised a crowdsourced information security testing for its public online services between December 2019 and May 2020. With the bug bounty program, organisations can invite information security researchers and hackers to examine, within a set of defined boundaries, the information security of selected services on the Internet. The information protection of the targeted systems were not opened for the project.

 

 (Link to another website.)The websites selected for the testing were the following Foreign Ministry’s online services: um.fi(Link to another website.)matkustusilmoitus.fi(Link to another website.) ja  vaarinkayttoilmoitus.fi(Link to another website.).  As these online services are subject to unauthorised attacks anyway, the Ministry wanted to invite legally operating hackers to examine the services and reward them for reporting vulnerabilities.

“The project was useful and inspiring. It was also exceptionally open, as most of the Foreign Ministry’s information security projects are not public,” says Chief Information Security Officer Antti Savolainen.

Altogether 30 hackers from Finland, India and Argentina joined the project. They filed more than 100 vulnerability reports and were rewarded for 32 reports. The total amount of rewards was about EUR 10,000. The biggest reward, EUR 3,000, was paid for a report that revealed a possibility of unauthorised publication of videos on the Ministry’s websites. All reported vulnerabilities were fixed as part the project.

The Ministry for Foreign Affairs acquired its first bug bounty program from Hackrfi. The piloting succeeded as planned, and the Ministry has decided to include bug bounty in its new information security testing program. The public procurement of the testing program will start in October 2020.

"I think it is great that the Ministry for Foreign Affairs was bold enough to open its websites for testing by information security researchers. Information security is a collaboration, and we can get the best results when many pairs of eyes are exploring the same package," says Information Security Researcher Laura Kankaala who took part in the project.

Inquiries: Antti Savolainen, Chief Information Security Officer, tel. +358 295 351 425, e-mail: [email protected]