Error premiums | Quebec will pay hackers to identify vulnerabilities

The government of Quebec is asking hackers and researchers to find bugs that may compromise the security of Quebecers’ data in government computer systems.

Posted at 2:05 p.m
Updated at 2:42 p.m

Stephane Blais
The Canadian Press

Researchers are paid a lump sum of between $50 and $7,500 when they discover a computer security problem on a government website.

This was announced by the Minister for Cybersecurity and Digital Affairs, Éric Caire, during a press conference on Thursday afternoon.

“Quebec’s government is the first public administration in Canada to make a program of this type available,” declared Minister Caire, specifying that the initiative will not replace the security mechanisms already in place.

“It’s another layer we’re adding to ensure that the systems we’re going to deploy are cyber-secure,” the minister said.

The bug bounty program invites researchers to register and formally identify themselves on a secure platform called Yeswehack, a European leader in the field, the government said.

The amount of the rewards depends on the critical aspect and the importance of the detected computer error. During the pilot phase of the program, researchers have $64,000 available.

“The project will continue as long as the treasury is not exhausted,” said Minister Caire, after which a report will be drawn up to determine whether the project should become permanent “to eventually be put out to tender”.

According to the Department of Cybersecurity and Digital, which said in a press release that the analyzed programs “will be duplicated in test beds,” no personal information will be accessible to researchers analyzing the systems.

The hacker or researcher who finds a vulnerability will increase their “rating” on the platform.

“So for the researchers, it’s a source, a double source of motivation. Of course there is the remuneration, but also his rating increases because it increases the credibility of the researcher and therefore the opportunities available to him,” said the Cybersecurity Minister.

The Yeswehack platform is already open to researchers, and Minister Cairo stated that “the entire community of the planet has access to the program,” which will allow the government to “have access to a very high level of expertise at a lower cost.” “.

The amounts granted, the number of deficiencies found and the critical magnitude of these problems could be made public, the minister said, but the details of the reports will not be made public for reasons of confidentiality.

“Scientists have no interest in boasting about it, because a relationship of trust has to be built up and such behavior would reduce the credibility of the researcher concerned,” added the minister.

Several deficiencies in recent months

Last December, the Quebec government preemptively shut down nearly all of its 3,992 websites after discovering a serious security breach affecting servers around the world. Some of the locations were closed for a few days.

A few weeks ago, the Sûreté du Québec opened an investigation into a leak of confidential data at the Treasury, and in the spring of 2021, thousands of parents of children registered with La Place 0-5, the central access points for educational childcare facilities, and their personal data was obtained from a stolen by cyber hacker.

According to Minister Éric Caire, “actions like this” (the bug bounty program) “can increase the level of security of public services and government electronic exchanges within the Quebec government”.

Leave a Comment