A government bug bounty competition pitting white hat hackers against a live botnet has ruffled the feathers of some in the security industry.
Delegates at the Nullcon security event in Goa last month were tasked with investigating the command and control servers used in a recent attack against Indian Government infrastructure.
The Government paid the winner, a researcher with Garage4Hackers, Rs 35,000 ($A627) for providing a detailed analysis on the botnet.
But a blog on the HoneyNet Project by the University of Washington security researcher David Dittrich triggered a small blacklash from some security boffins after it incorrectly stated competitors were asked to attack and takedown the botnet.
While claims of the takedown were incorrect, Dittrich also questioned whether the move to target what was essentially a "crime scene" was responsible. He has argued that legal authority was critical to dismantling botnets. (pdf)
NullCon founder Antriksh Shah said delegates were asked to obtain and provide technical malware analysis and information on the botnet to the government including dropping a proof of concept text file on the command and control server.
"The winning team was just required to show proof of stealth access which was demonstrated through a txt file created on the server," Shah told SC.
"As we speak the botnet is still live."
He said delegates were told not to disturb the botnet, adding that nothing "out of scope" was touched.
He was unsure if the government would use the data to target the botnet.
Shah told the Times of India that the event "clearly shows the first signs of government-community partnership in fighting cyber crimes in the country".