The Quebec government is calling on hackers and researchers to find flaws that can compromise the security of Quebecers’ data in government computer systems.
These researchers will be paid piecework, between $50 and $7,500 each time they identify a computer security problem on a government site. The amounts of the bonuses vary according to the critical aspect and the importance of the computer fault which will be detected.
The Minister of Cybersecurity and Digital, Éric Caire, made the announcement during a press conference on Thursday afternoon.
“The Government of Quebec is the first public administration in Canada to make a program of this nature available,” said Minister Caire, specifying that the initiative will not replace the security mechanisms that are already in place. .
“It’s one more layer that we add to ensure that the systems we are going to deploy are cyber secure,” said the Minister.
The “Bug Bounty Program” invites researchers to register and formally identify themselves on a secure platform called Yeswehack, a European leader in the field according to the government.
The amounts of the bonuses vary according to the critical aspect and the importance of the computer fault which will be detected. In the pilot phase of the program, $64,000 will be available to researchers.
“The project continues as long as the kitty is not exhausted”, explained Minister Caire, after which a report will be written to determine whether the project should become permanent “to eventually go to tender”.
No personal information will be accessible to researchers who will analyze the systems, according to the Ministry of Cybersecurity and Digital, which specified in a press release that the programs analyzed “will be copied in test environments”.
The hacker, or researcher, who finds a vulnerability, will see his “rating” increase on the platform.
“So, for the researchers, it is a source, a double source of motivation. Obviously, there is the remuneration, but there is also seeing his rating increase, because it increases the credibility of the researcher and therefore the opportunities available to him,” mentioned the Minister of Cybersecurity.
The Yeswehack platform is already accessible to researchers and Minister Cairo specified that “the entire community of the planet has access to the program”, which will allow the government “to have access to a very high level of competence in lower cost “.
The amounts granted, the number of faults detected and the critical levels of these problems may be made public, the minister mentioned, but the details of the reports will not be published for reasons of confidentiality.
“Researchers have no interest in bragging about it because there is a relationship of trust that must be established and to behave like this would have the effect of reducing the credibility of the researcher in question,” added the Minister.
Several flaws in recent months
Last December, the Quebec government preventively closed almost all of its 3,992 websites following the discovery of a major security breach affecting servers around the world. Some of the sites had been closed for a few days.
A few weeks ago, the Sûreté du Québec opened an investigation into a leak of confidential data at the Treasury Board and in the spring of 2021, thousands of parents of children registered at La Place 0-5, the one-stop access places in educational childcare services, have had their personal data stolen by a cyber-hacker.
According to Minister Éric Caire, “it is with actions like this” (the Bug Bounty Program) that “the level of security of public services and government electronic exchanges within the Government of Quebec” can be increased. .