Ministry for Foreign Affairs crowdsources part of its information security to hackers

The Ministry for Foreign Affairs will launch a crowdsourced information security testing for some of its public online services on 22 September 2021. The so-called bug bounty program will be implemented in cooperation with Hackrfi, a company specialising in bug bounty program management. In the program, security researchers and hackers examine and scan vulnerabilities in selected targets, working subject to a set of clear boundaries. Participating hackers will be paid rewards based on eligible vulnerability reports.

Diagram with text. Title: Locating Security Vulnerabilities. First step: Testing in the development phase: Deficiencies are rectified as part of the system development process. This is followed by two options: A regular or recurring method with an audit list or vulnerability-based audit or vulnerability scan. In addition to the regular method, an alternative is the bug bounty method: a community and unsystematic vulnerability search, in which a bounty hunter is promised a sum of money commensurate with stability from a security vulnerability that he or she detects and reports.

The Ministry for Foreign Affairs piloted the program between December 2019 and May 2020. Hackers filed more than 100 vulnerability reports, of which 32 were rewarded. The Ministry for Foreign Affairs has decided to make the program a permanent part of the implementation of its information security. The targets selected for the program will vary as the program develops.

“The Foreign Ministry’s online services are examined, whether we want it or not. We are aware that outsiders are constantly showing interest in us, and all of them do not necessarily have good intentions.  The program aims to bring to our knowledge and to rectify vulnerabilities that would otherwise remain unnoticed,” says Matti Parviainen, Director for Information Security at the Ministry for Foreign Affairs.

The primary targets of testing will be our online services, which are available to everyone directly on the internet. In our services, not only confidentiality but also the availability and integrity of information are emphasised. One of the targets of testing is the (Link to another website.) service, which is one of the most important tools for us to get information about and reach Finnish citizens in crisis areas.