From now on, every time a ministry or government agency wants to launch a new application or website, it must provide hackers with the opportunity to test it. Quebec considers this step essential to increase the level of security.
The bug bounty program, which launched as a pilot in 2022, is becoming permanent. It consists of paying between $50 and $7,500 to anyone who finds a computer error in the platforms put online by the government.
Since September, ministries and organizations have been asked to use it for their systems, said Éric Caire, the minister of cybersecurity and digital technology. You have until December 31, 2026 to join the program.
Less than ten of them have used it since the pilot project started, complains Éric Caire. Are they afraid to use it because of the cost? Maybe, but that’s not a valid argument in his opinion. If your employees have done all the necessary testing before going live, it will be difficult for hackers to find bugs.
Increase IT testing with bug finders
Éric Caire also believes that this tool should have been used by the SAAQ. Of course, it’s easy to rewrite history, but considering what the audit taught us, I think SAAQclic would have benefited greatly from switching to the bug bounty program.
The report from PricewaterhouseCoopers (PwC), which was commissioned to investigate the causes of the fiasco, indicates that the platform should be further tested before its launch.
A month ago, Quebec government websites were also targeted by a cyberattack of Russian origin. No personal data or critical information would have been extracted through this intrusion, but this episode again warned of the need to protect uploads.
Given recent events, we said to ourselves that something must be done. It is an excellent practice to take advantage of the bug bounty program. It exposes vulnerabilities. It is better to discover them in an environment like this, controlled, with people who must respect ethics and a legal framework.
Bug researchers, amateurs or professionals who participate in this program must actually identify themselves and open an account in order to receive their compensation. It is impossible to trade anonymously. The amount transferred varies depending on the criticality of the IT vulnerability discovered.
It’s also an incentive for ministries to do a lot more testing in advance because if you… [mise en candidature] When it comes to the bug bounty program, I think they’re proud to say they didn’t find any, or they found very few. It’s an incentive, Mr. Caire said.
Quebec is the only Canadian province to use this program. To, hackers must go to the French platform Yeswehack.com, where the government has reserved space.
This allows us to employ the best bug researchers in the world to ensure the robustness of our applications.
We want departments and agencies to have seatbelts, and the bug bounty program has the braces to go with them! continued the minister. This does not absolve the government from conducting its own tests. We want to ensure that we do everything humanly possible to ensure the security of our applications.