The South Australian government will create a bug bounty program for cyber security researchers who identify vulnerabilities in its internet-facing services.
The Department of Premier and Cabinet (DPC) revealed the plans in an approach to market on Wednesday, as vulnerability reports continue to climb worldwide.
The community vulnerability management service would create a formal way for the department to engage the community, and better manage the discovery of vulnerabilities.
Until now, the government has had an “ad hoc” arrangement, where citizens can report cyber security issues they discover.
In line with other bug bounty programs, the department said it will pay cyber security researchers “financial rewards” for uncovering any vulnerabilities.
The planned bug bounty program comes after a damning audit [pdf] last year that found penetration testing and vulnerability scanning to be “limited and ad hoc” at the majority of agencies assessed.
Around 80 percent of the 292 public-facing environments assessed had not been pentested in the last three years, including 47 percent of environments holding sensitive information.
Few state and territory governments have previously revealed the existence of formal bug bounty programs.
NSW Customer Service minister Victor Dominello in 2019 said Service NSW had created such a program as part of the development of the NSW digital driver’s licence.
While the DPC has offered no timeframe for when the bug bounty program might start, it plans to enter a contract for up to the next two years with the successful supplier in July.
In last year’s budget, the government set aside $20 million to improve the state’s cyber defences, a significant portion of which will be used to create a cyber security operations centres (CSOC).
The CSOC will build on the existing security watch desk and cyber threat intelligence team in the Office for Cyber Security with DPC.
According to the government’s ICT, cyber security and digital government strategy, cabinet has also approved a number of other initiatives to address “significant” cyber security vulnerabilities.