Sri Lankan start-up wins cybersecurity grant
A grant from the Asia Pacific Network Information Centre (APNIC) and the Information Society Innovation Fund (ISIF) is paying for security checks of Sri Lankan companies through local start-up Bug Zero
By Jinashri Samarakoon Wijesundara
Bug Zero, the crowdsourcing or bug bounty platform for security testing recently secured a highly competitive grant of USD 85,000 from the Asia Pacific Network Information Centre (APNIC) and the Information Society Innovation Fund (ISIF) to promote the concept of crowdsourced security testing among Sri Lankan companies.
The grant allows Sri Lankan organisations enrolled on the Bug Zero platform to have their security vulnerabilities checked by hundreds of white hat hackers who are security experts – sometimes referred to as ethical hackers or bug hunters – from 24 different countries, free of charge within the grant period ending in December 2022. Any public or private firm can avail of this opportunity via the Bug Zero platform devoid of upfront fees.
The business model
Bug Zero enables client organizations to get their systems tested for security vulnerabilities by independent testers by acting as the intermediary between the two parties and offering rewards to the testers or bug hunters. The process begins with firms publishing their public endpoints (URLs, APIs, Mobile Apps, etc) on the Bug Zero platform. A rapidly growing community of bug-hunters (presently close to five hundred from 24 countries) will then start testing them for vulnerabilities using their own tools, methodologies, and especially their hacking skills.
This diverse skill set is a strong factor in bug hunters being successful in finding vulnerabilities that slip through more conventional security testing. The security vulnerabilities identified will be reported through the Bug Zero platform, enabling organisations to fix loopholes before a malicious actor exploits them and causes serious damage.
Payment is typically made when an ethical hacker successfully identifies a reproducible security vulnerability and reports it to the client organisation, enabling them to take remedial action. The platform earns revenue by charging a nominal percentage from such fees paid to the bug hunters.
The grant Bug Zero has secured aims to provide Sri Lankan firms with an opportunity to experience bug bounty platforms, a security testing method new to the country by funding for their security bills. This allows Bug Zero to pay the security experts on behalf of the client company without retaining a service fee during its period of validity.
The Bug Zero platform was co-founded by Primal Wijesekera (PhD), a security research scientist at the ICSI, UC Berkeley USA, along with Kasun De Zoysa (PhD), Chamath Keppetiyagama (PhD), Charitha Madusanka, Kenneth Thilakarathna, Nipuna Weerasekara, and Ravindu De Silva, all of whom are either current Senior Lecturers or proud products of the University of Colombo School of Computing (UCSC). The founding team has a strong academic profile publishing cutting edge research on leading international venues on privacy and security.
“We also have private programs in which we verify the identities and filter hackers based on the requirements of the client,” Primal Wijesekera said when we asked him whether clients can choose a specific category of white hackers.
“We also have private programs in which we verify the identities and filter hackers based on the requirements of the client. The default programs let anyone registered on the platform to start testing as soon as a client publishes their testing requirements. In private programs, however, Bug Zero only invites pre-filtered bug hunters based on prior agreed-upon criteria. Sensitive actors such as the Pentagon, and US military use similar private programmes,” Wijesekera said.
Popularity in industrialized countries
Any organisation that has an online interface, particularly those that deal with large volumes of online transactions or highly-sensitive data, face frequent security threats, requiring constant checks. The majority of Sri Lankan firms directly employ experts or hire them from security services providers by paying heavy retainers. However, US and European firms favour bug-bounty or crowd security platforms as a cost-effective and highly efficient strategy in vulnerability discovery and management, which is an integral part of computer security and network security management.
Commercial entities such as Google, Android, Apple, Microsoft, and Reddit and government entities such as the US military and the Pentagon, have significantly increased the efficiency and reduced the cost of vulnerability management, by engaging white-hat hackers through crowd security platforms. In Sri Lanka, Sri Lanka Computer Emergency Readiness Team (SLCERT), the government agency mandated with the protection of information and information systems within the state sector, is now using the Bug Zero crowd security platform to successfully mitigate security vulnerabilities.
Increased efficiencies and reduced costs
Bug bounty platforms such as Bug Zero deliver efficiencies to a client organisation via two strategies. Firstly, by providing efficiency through numbers. They provide the service of hundreds of bug-hunters with diverse skills to hunt for vulnerabilities around the clock, opposed to a few experts hired directly or indirectly exclusively by the client organization. These hundreds of extra eyes come at no extra cost for the client organizations as they pay only for verified vulnerability reports.
Bug bounty platforms also remove the burden of upfront capital investments, staffing, or fixed budgets from security testing. This is possible because organisations can reduce cyber security staff on payroll or retainers, which in turn reduces capital expenditure on providing infrastructure for such staff to operate. Expenses on the platform link directly to the successful identification of threats, and are paid in the form of rewards- usually gifts, recognitions, and monetary payments- only for reported vulnerabilities.
In answer to the question of whether it is safe to open an organisation’s security testing to unknown security testers, Wijesekera points out that the US military and the Pentagon which deal with highly sensitive data successfully use this method to pre-empt and mitigate malicious security attacks using private programs and private events. Private events or hackathons are customer-specific events where testers will carry out the testing strictly during a set period at a specific location, and not afterwards.
“They give clients the option to verify who is testing their systems through the bug bounty platform and keep a close tab on their testing activities”, Wijesekera explains further.
What motivates “white-hat” hackers
Knowledge workers increasingly forsake permanent employment which binds them to an organisation, preferring the freedom and autonomy available in freelance work. White-hat hackers derive satisfaction from their ability to identify critical vulnerabilities that can cripple businesses with attacks from the black hat or malicious hackers. They are inspired by the recognition they receive for their abilities in the communities created by the bug bounty platforms.
Wijesekera reiterates this point through his wide experience, “I work with white hat hackers in my research work at the International Computer Research Institute at UC Berkeley. They are motivated by the autonomy provided by bounty programmes, which reward them for their work. They appreciate the flexibility of working hours, place, and pace and the recognition and respect that comes with successfully identifying vulnerabilities that can disrupt businesses”
The Bug Zero initiative also includes creating a skilled workforce among Sri Lankan youth. Wijesekera believes that the Bug Zero platform can attract, develop and grow local talent by paying them internationally competitive bounties for bug identification. Wijesekera indicates that over 80% of the security testers registered on the platform are local security testers and enthusiasts, and the rest are from different parts of the globe. He shows that these facts strongly suggest that a shift to bug bounty platforms will benefit the total security ecosystem in the country.
IT platforms such as Bug Zero enable independent experts to offer their services to external companies, facilitating a “brain gain”, at a time when the country is facing a severe brain drain. These platforms make it possible for experts to provide services to firms in Sri Lanka by eliminating the need for a physical presence in the country.
Wijesekera concludes, “Bug Zero also believes that bug hunting will provide a much-needed challenge to the new generation, especially to those who enjoy a real-world impactful challenge beyond anything else.”