Should Ecuador use bug bounties?
Over the last ten years, bug bounty programs have become progressively more common in many industrial countries. This trend started in the US, but has spread to other countries. However, we are not seeing the same spread in all countries, including Ecuador. And considering that we have seen a large amount of security incidents in Ecuador lately, it is worth asking the question: should Ecuadorean companies - and the government - consider using bug bounties to improve their security?
First, let’s quickly recap what a bug bounty program actually is. Fundamentally, the idea is that an organization publicly offers payment for reports about bugs or vulnerabilities in their software, infrastructure or digital services. The program can be time limited or permanent. It can require pre-registration or be completely open. Often, different types of vulnerabilities will generate different types of compensation. And of course, for this to work, the organization needs to ensure that exploration of their software is legal, so that people trying to participate in the bug bounty don’t face any risk of judicial consequences.
This all might sound a bit strange - you want to invite people to break your security? Yes, that’s actually exactly what you want. If you have security problems, you need to find them. It’s not enough to keep things hidden and hope that no-one will notice. We know from experience that in these cases, only the bad guys will know what vulnerabilities exists. Wouldn’t it be better to simply find them and fix them? Of course, bug bounties is not the only way of achieving this result, but it is a nice way to show the public that you take security seriously.
If you are still not convinced, it might be worth mentioning that many of the most succesful companies in the world are using bug bounties. Companies such as Facebook, Google and Microsoft. Both the US government and European authorities have also taken part in funding for bug bounty programs.
So what do you need to be able to implement this kind of program? First, and most important, you need to have a process for reporting security problems. In fact, this is something that absolutely every organization should have, no matter what they do. The government should have it, and private companies as well. Otherwise, if someone stumbles on a problem, where do they go? And for a bug bounty program to work, you need a way for the reporting to happen, combined with processes for verification and compensation.
Once the reporting is in place, you need to have procedures for actually fixing security problems. Otherwise, the bug bounty program will not be very useful. But to be functional, you also need the resources. These kinds of programs can generate a lot of input, which means that you need enough people to deal with the problems that are found. The instinct might be to sweep the findings under the rug, but please don’t. Instead, invest in security and make the bug bounty program effective.
Finally, the question of legality need to be resolved. At the moment, it’s not clear whether bug bounty programs can actually be done in a legal way in Ecuador. Of course, if the company makes a commitment to not pursue legal action, and they specify the limits for what is acceptable behavior, that solves one part of the legal problem. But the Prosecutors Office of Ecuador has the power to open investigations without the consent of the presumed victim, which means that even a commitment from the entity hosting the bug bounty might not be enough.
For this reason, we can’t recommend full bug bounty programs in Ecuador yet. We do believe it is a powerful technique, and many larger private companies in Ecuador would certainly benefit from this kind of procedure. They have the resources to do it well. However, until the legal situation is resolved, it might not generate much participation.
For state organizations and parts of the government, organizing something that improves the security situation also seems quite urgent. We have seen many intrusions over the years, and this is only going to get worse. On the other hand, it’s not clear that the government actually has the people or resources necessary to improve the security based on bug bounty reports.
Our current recommendation is that organizations in Ecuador start by making sure they have security reporting guidelines, and make them publicly avaialable - including a way of anonymously reporting issues. This should at the least make it easier for security researchers to help these organizations.
At the same time, the government should invest in clarifying the legal situation. It would be great if the Ministry of Telecommunications ran a pilot bug bounty project to serve as an example for the rest of the public entities. But, at the least, they should implement security reporting.
In other posts, we will return to the theme on what Ecuador can do to improve the digital security of the country. There’s much ground to cover.