Govt has never considered a bug bounty program, says ASD

The federal government has never looked at adopting a centralised bug bounty program to help weed out cyber security vulnerabilities at departments and agencies, Australia’s cyber spy agency has revealed.

The Australian Signals Directorate made the admission in answers to questions on notice from the parliamentary inquiry into cyber resilience, while batting away other questions about the cyber resilience of agencies.

Bug bounty programs, which can either be public or private and involve recognising and compensating white hat hackers for uncovering vulnerabilities in systems, are increasingly commonplace in foreign governments.

The US government, for instance, has run numerous bug bounty programs focused on the Department of Defense since 2016, including Hack the Pentagon, Hack the Army and Hack the Air Force.

In that time, bug bounty platform HackerOne estimates that security researchers have found more than 11,000 vulnerabilities through the programs, which are also thought to have saved millions of dollars.

The UK’s National Cyber Security Centre also introduced a formal vulnerability disclosure scheme using the HackerOne platform in 2018 after conducting a two-year pilot to establish such a program.

Closer to home, the NSW government recently created its first bug bounty program as part of the development of the NSW digital driver’s licence, allowing independent security experts to scrutinise the underlying code and identify areas for improvement.

But when asked by shadow cyber security assistant minister Tim Watts whether the federal government had considered adopting a similar bug bounty program, ASD this week responded with a resounding “no”.

It means that not only does the government not have a private, invitation-only bug bounty program, it has never considered introducing such a program, despite the benefits shown in governments outside Australia. 

ASD said it does, however, “actively” engage with technology researchers and industry who disclose vulnerabilities, in line with its Responsible Release Principles for Cyber Security Vulnerabilities policy.

The policy, which was quietly released last year, outlines the agency’s process for deciding whether to disclose vulnerabilities, which it will only keep secret if there is a "critical intelligence requirement".

“The decision to retain a vulnerability is never taken lightly. It is only made after careful multi-stage expert analysis, and is subject to rigorous review and oversight,” the policy indicates.

The Department of Home Affairs also acknowledged in answers to questions on notice from the cyber resilience inquiry that there is “no central policy mandating vulnerability disclosure programs”.

It said a “number of Commonwealth entities have vulnerability disclosure policies appropriate to their circumstances”, with any significant cyber security incident to be reported to the Australian Cyber Security Centre when it occurs.

Agencies are also expected to complete a report on their cyber security posture on a yearly basis through the Protective Security Policy Framework (PSPF), though this mechanism has repeatedly been shown to be lacking.

Despite a recent overhaul of the PSPF, the Attorney-General’s Department (AGD) is looking at making further improvements to the framework to drive compliance with the mandatory Top Four cyber mitigation strategies.

ASD continues to argue that disclosing the Top Four or Essential Eight compliance levels of individual agencies “may increase their risk of being targeted by malicious cyber actors”, despite the Australian National Audit Office doing so in regular audits.

The next cyber security audit focusing on the departments of Home Affairs, Health, Education, Prime Minister and Cabinet, as well as Australian Securities and Investments Commission and ASD is slated to be released in December.