Bug Bounty Program from Government is required

It was heartening to note that during the recent Cyber Security Summit in Delhi (Ground Zero), Mr Rajnath Singh, the Home Minister, stressed the need for “Cyber Security” for the success of the other Government initiatives such as the Digital India.

Naavi.org has not only been highlighting this issue for a long time but also urging specific action plans from the Government in this regard including the”Cyber Insurance For ALL” as a Government initiative. Naavi also initiated a private sector Special Interest Group in “Secure Digital India” with the hope that other security professionals will join hands in providing voluntary inputs on information security to the Government.  As a further follow up, Naavi also initiated the “Cyber Law Compliance Center”. Naavi had also stressed the need for a revision of ITA 2008 with a vision on the futuristic issues such as Internet of Things (IoT) and Big Data with a document on “Cyber Law Vision-2018″  . After noting that the Government of India has set up an expert committee for a review of ITA 2000/8, Naavi has now also invited experts from the private sector to contribute ideas to what needs to be done in this regard through the “Special Interest Group on Amendment to ITA 2000/8”.

In all these efforts, it is possible that the efforts of Naavi is unlikely to gather as much support as it deserves from the community. The reason is not that others are not as much concerned about the welfare of the Digital India project as Naavi is, but it is because they all feel that it is futile to do anything voluntarily for the Government or the Country since it would not be appreciated.

Probably they are right but like an eternal optimist Naavi will continue to voice his views through Naavi.org and expect that just as many of his ideas have taken years to find support, these will also gain acceptance over a period of time, if not in this tenure of Modi, in his next tenure.

However, looking at the reasons for the lack of trust between Information Security professionals and the Government, the article “It’s No Secret That the Government Uses Zero Days for Offence” published in eff.org, gives a hint.

Though this article reflects development in USA, it has universal application. The article highlights the fact that the Government of USA is guilty of using many “Zero Day Vulnerabilities” to snoop on its own rather than trying to secure the Digital Space with counter action to secure the society against such vulnerabilities.

A Citizen would think that if he finds a vulnerability, he has a duty to inform the Government so that the society is kept safe. Many Information Security specialists also feel the same. Some of them do their best to contact the source of the vulnerable software so that the vulnerabilities are corrected. But companies driven by their business interests and immediate profit goals often donot make necessary corrections and let the vulnerabilities remain. Some Companies may reward the informers in their Bug Bounty program but most donot have such programs in operation.

When companies fail to remove vulnerabilities, the security professional who pointed out the vulnerability has two options with him. One is to inform the regulatory authorities in the hope that they will initiate action against the Company which has released a vulnerable software and endangered the community of users or teach the laggard company a lesson by actually exploiting the vulnerability and make it more visible to the public.

If he choses the second option, he will be called a “hacker” and probably be punished by law. If he choses the first option and the Government itself tries to exploit it instead of bringing a correction, he will soon develop a distrust for the Government and eventually become a rebel and a hactivist.

I invite Sociologists to conduct a study of the mindset of “Information Security Professionals who turn into Hackers” and identify the reasons for such transformation which is detrimental to the society.

At the same time, the minority of Information Security Professionals who resist the temptation of hacking and remain “Compliance Consultants” need to be identified, encouraged and recognized.

In the light of these thoughts, I would like to draw the attention of the Government to some of the following action elements.

If Modi Government wants to continue its economic policy thrust based on Digital development, despite the reverse in Bihar, and avoid the fate of Mr Chandra Babu Naidu in Andhra, there is a need to merge the digital policies to social goals.

In working towards this goal, it is essential to ensure that community understands and supports whatever we are doing sincerely for the good of the country. Just as political opponents can make capital out of anything including a well designed suit, and the fact that there are a majority of people who are happy to continue living in a  half torn Dhoti and say “Jai Lalu”, there are information security professionals who may turn into “Hackers”  (or Hactivists) if they are not with you.

If the Government has to succeed in their mission “Digital India”, it is therefore essential for it to cultivate these IS professionals and take them on its side.

As some body watching the developments in the Government and also closely watching the Information Security industry, I can categorically say that India possesses a huge talent pool of information security skills which are today not being tapped by the Government.

Many of these professionals are productively engaged in the private sector and some are successful entrepreneurs in the filed of security. But the best in the field may be staying aloof from Government projects since they are not in the privileged “List of Accredited Experts” who get appointed as “Brand Ambassadors” and “Members of Expert Committees”.

Government therefore needs a policy to bring such experts into the main stream and give them the psychological satisfaction of having contributed to the growth of the country.

So far the policy of the Government is only to introduce some courses in Colleges and sponsor some workshops conducted by NASSCOM or DSCI. But most specialist Information security professionals are outside the gamut of the Government sponsored organizations are not easily connected. They are not qualified in Engineering colleges and donot hold the degrees and certificates based on which the Government tends to measure their utility.

The participation of Mr Rajnath Singh in events such as Ground Zero was therefore a welcome development and such interactions need to increase in future. One of the positive outcomes of this meeting is a policy initiative to start the Indian Cyber Crime Coordination Center (I-4C) and formation of a National Cyber Registry.

Bug Bounty By Government

May be in the context of US Government using Zero Day vulnerabilities to its own use, a comprehensive policy for “Disclosure of Vulnerabilities” providing for a Bug Bounty from the Government side would be desirable to enable reporting of zero day vulnerabilities without distrusting the Government.

Some would scoff at this idea of a “Bug Bounty by Government” and may not agree and feel that the Government should  not take over the private sector responsibilities. But I would like to state that Government is a stake holder in any vulnerable IT program being in the public space since it leads to a “Law and Order Issue in Cyber Space”.

If an Ola program or a Flipkart program or a Paytm program is vulnerable and a million customers find their credit card data compromised and a few thousands of them get exploited, then there will be a huge issue of credibility of our online Banking system. Hackers and Enemy States may attack our Banking system through these vulnerable private sector vulnerable apps. Hence Government has a duty to watch the space and take curative action when the vulnerabilities are still at Zero Day status. This is like the public safety body taking objection when a private multi storeyed building is being constructed without safety features.

If there is a good Bug Bounty Program by the Government, then the Citizen who reports the vulnerability will have a reason to report the vulnerabilities and also create a record of the report. He can be rewarded immediately and later with a suitable recognition (Padma Bhushan?.. non returnable!) that goes beyond educational qualifications.

Having taken the vulnerability on record under the Bug Bounty Program, Government would not be able to misuse the vulnerability. Government on receipt of such notice of a vulnerability can send a suitable notice to the developer, get the feed back and impose a fine to recover the cost of the bug bounty program. The program will therefore be  a self financing program.

Hopefully, the developers will insure themselves against such unexpected losses through a Cyber Insurance plan that covers the risk of being fined for vulnerabilities. (A new Policy Opportunity for Cyber Insurers!).

The actual reward to be paid and fine to be imposed may vary based on the threat impact assessment  of the vulnerability . It can be a token of Rs 1000/- or a maximum of say Rs 5 lakhs depending on the assessment for which some transparent guidelines can be developed.

Remember that if the vulnerability gets exploited, then the liability of the software releasing/using organization can be higher as per ITA 2008. Hence the system of a Government’s Bug Bounty program and a fine to cover the cost could be an acceptable suggestion which even the software/App development/user companies may welcome.

If the program requires an amendment to ITA 2008, it can be addressed by the new “Expert” committee being set up for the purpose of amendment. (If such “Experts” have a vision beyond the limited objective of restoration of Sec 66A in a form acceptable to Supreme Court)

In fact the software/App buyer can ask the developer to indemnify against any such vulnerabilities reported in the first one month of the release and later take over the liability himself. This will improve quality and testing of software before it is delivered for public use.

The program if introduced will therefore help the goal of Secure Digital India in multiple dimensions and I request the Government to consider it in right earnest.

Nice words have been spoken by the Minister during his inaugural speech at Ground Zero summit and if this finds support in its implementation, then it is an encouraging sign. There is still a long way to go in making this “encouraging sign” a real “game changer”.

Let’s keep watching the developments and hope for action from the Government.

Naavi invites views of the readers on this need for a “Bug Bounty Program by Indian Government” and how to motivate all Information Security Professionals contribute towards Secure Digital India.


More on the Summit

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to Bug Bounty Program from Government is required

  1. GD Thakur says:

    Sir,Sorry for interruption and topic Change.But this is very important Court verdict for E-Commerc Market Places.

    Ecommerce marketplaces eagerly watch Flipkart’s online tax victory in Kerala.

    Ecommerce companies would have been carefully watching the proceedings unfold, asFlipkart won its Value Added Tax battle last week in the Kerala courts.
    This verdict could be viewed as a landmark case and create a domino effect for other etailers who are also involved in similar online tax disputes in neighbouring states.
    “The judgement is not legally binding on other states, but it has surely set a precedent and will have a persuasive value in other states,” said Joseph Vellapally, a senior Supreme Court advocate, who argued Flipkart’s case before the court.
    Flipkart- an escrow agent?
    Flipkart’s presented its case as an electronic marketplace that assumes the role of an escrow agent, meaning that it only pays the sellers once the goods have been delivered to the customer.
    Flipkart- not a merchant seller?
    Other states, which include Karnataka have failed to buy the tall claims made by ecommerce marketplaces such as Amazon, Flipkart and Snapdeal that they only facilitate sales between online seller and customer. In Kerala, Justice AK Jayasankaran Namnkaran Nambiar did away with the penalty placed on Flipkart that it had to pay VAT on inter-state sale of goods, as he did not accept that Flipkart was a merchant dealer.
    The judge found that only the sale transactions of the deliveries to Kerala customers, were found by the taxman. The judge also questioned why taxes were placed on Flipkart Internet Services, when the major part of sales were done by authorised dealer WS Retail, whose tax returns were accepted by the authorities.
    “but do not go further and find that it was the petitioner who effected those sales. Further, there is no consideration (by authorities) of the specific contention of the petitioner that the sales in question were effected by sellers who were registered on its online portal…,” the judge wrote.
    Keeping the champagne on ice
    While Flipkart owners may have burst open a few bottles of bubbly after the decision, other marketplaces may be wise to keep the champagne on ice for the time being at least, as they prepare for similar cases in other states.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.