In Norway, we had a case in 2018 of a minor finding a spreadsheet online with usernames and passwords for most teachers and students in the municipality's school platform. He had some missteps after trying to report the issue and not being taken seriously, ended up logging in with the credentials of the headmaster and sending a stupid message to everyone. The municipality involved the police, and the police "raided" his house and took some of his computers.
Fairly big controversy in Norway. Bergen (the municipality) showed incredibly bad faith and the worst possible judgement. "Datatilsynet" (Norwegian Data Protection Authority) gave them a decent fine, and Bergen showed no humility, opted to dispute the fine as if the fact that a kid finding everyone's usernames and passwords was something that was a daily occurrence with no more significance than spilling coffee on one's shirt.
Just like code bounties might sound like a good idea on paper, rewarding ethical hackers with huge amounts of cash would undoubtably result in rapidly diminishing returns.
While they absolutely could / should have rewarded him with more than a lousy t-shirt. I suspect they aren't keen to encourage a bunch of random people to try and poke holes in their security with the expectation of a cash price.
>I suspect they aren't keen to encourage a bunch of random people to try and poke holes in their security with the expectation of a cash price
You can either reward your own citizens with large cash prizes, OR, you can reward Russia/China with your data since they'll gladly poke around for free.
Most humans (including, obviously, ethical hackers) have some motivations which are not financial. And politics and small-country financial reality almost certainly preclude outbidding China, Russia, & such for bugs.
>Most humans (including, obviously, ethical hackers) have some motivations which are not financial.
Most humans also need a full-time job to survive. If I wouldn't have to work a job to live, I would have more free time for good Samaritan pen-testing for the government if that would pay my bills instead.
In some socialist European countries, artists get subsidized by the state to create "art" instead of working. Why can't we do that with pen-testers? Sit around at home on UBI and look for zero-days in government infrastructure?
Sounds like the Dutch gov't prefers to employ folks who've gone through their hiring process. Their choice, and there are plenty of org's with more-generous bug bounty programs.
(BTW, maybe check on the origin of "Good Samaritan". His saintly disinterest in any sort of personal gain was the whole point of that story.)
Did they really send the T-shirt? It feels like it must be a joke.
Imagine a meeting where some bureaucrat went to their boss and said "hey this person did us a huge favor, can I get a €30 budget to specially order them a gimmick t-shirt" followed by some correspondence where the government obtained their address and shirt size, yet bizarrely not their name. I can't believe that happened.
I don't find the lack of a financial reward objectionable as long as it's clear one doesn't exist. The gimmick shirt also isn't an issue, though the process of distributing it amuses me.
A team of government workers spending paid time deciding which security volunteer deserves the most nonfinancial recognition mildly irks me.
The real favour is not taking you to court for attempting to break into critical national infrastructure. The shirt is just a fun gimmick. Beats only sending a letter, in my opinion.
Also, it's unlikely that they didn't just ask for the author's size and address. The standard disclosure process involves a temporary non-disclosure and negotiating if/when publication of the issue will take place.
The author was pleased with the response, and the process has improved since this was published.
That isn't a favour. The favour is finding the vulnerability and being nice enough to communicate to those who are impacted. If you as an organisation are shitty enough to view the reward for that a lack of punishment, nobody should be communicating that to you.
There's also more to the process than just sending a shirt.
> * If you submit your report in accordance with the procedure, then there will be no grounds for legal consequences in relation to your report. We will handle your report in confidence and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling.
> * We will only specify your name as the discoverer of the vulnerability in question if you give permission for us to do so.
> * We will confirm receipt of the report within one working day and we will subsequently send an assessment of your report within three working days. We will also give you progress updates regarding the resolution of the problem.
> * The NCSC will strive to have the the security problem identified by you resolved within no more than 60 days. Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.
> * The NCSC will also offer a reward to thank you for your help. This reward can vary from a T-shirt to gift certificates depending on the severity of the security problem and the quality of the report. To be eligible for a reward, the report must concern a serious security problem that is as yet unknown to the NCSC.
In other more modern and civilized countries you could have gotten a free room and food for as long as they want
Are there really any countries that actually do this? I'd be curious to see examples of this happening.
In Norway, we had a case in 2018 of a minor finding a spreadsheet online with usernames and passwords for most teachers and students in the municipality's school platform. He had some missteps after trying to report the issue and not being taken seriously, ended up logging in with the credentials of the headmaster and sending a stupid message to everyone. The municipality involved the police, and the police "raided" his house and took some of his computers.
Fairly big controversy in Norway. Bergen (the municipality) showed incredibly bad faith and the worst possible judgement. "Datatilsynet" (Norwegian Data Protection Authority) gave them a decent fine, and Bergen showed no humility, opted to dispute the fine as if the fact that a kid finding everyone's usernames and passwords was something that was a daily occurrence with no more significance than spilling coffee on one's shirt.
https://www.nrk.no/vestland/datatilsynet-star-fast-pa-millio...
Interesting that the penalty was a fine… seems like the Bergen officials responsible should have been demoted or fired for acting like petty tyrants.
I believe this might be an ironic comment, since free room and free food usually come with a prison sentence.
not happened yet afaik, but thinkable in Germany. See e.g. https://theworld.org/stories/2021/08/18/massive-security-fla...
Pretty sure they mean prison
Doofus.
Prison.
> NATALYA: You’ve hacked into the U.S. Department of Justice. You know what will happen if they trace it here?
> BORIS: The Chief of Computers will call me a genius, move me to Moscow, and give me a million bucks hard currency..... I think not.
Which country does this?
Just like code bounties might sound like a good idea on paper, rewarding ethical hackers with huge amounts of cash would undoubtably result in rapidly diminishing returns.
While they absolutely could / should have rewarded him with more than a lousy t-shirt. I suspect they aren't keen to encourage a bunch of random people to try and poke holes in their security with the expectation of a cash price.
>I suspect they aren't keen to encourage a bunch of random people to try and poke holes in their security with the expectation of a cash price
You can either reward your own citizens with large cash prizes, OR, you can reward Russia/China with your data since they'll gladly poke around for free.
This is being penny wise and pound foolish.
Weird nationalistic view... I would reword this as rewarding criminal activity of any interested party
Going off my SSH logs, it's more or less correct, statistically speaking.
Most humans (including, obviously, ethical hackers) have some motivations which are not financial. And politics and small-country financial reality almost certainly preclude outbidding China, Russia, & such for bugs.
>Most humans (including, obviously, ethical hackers) have some motivations which are not financial.
Most humans also need a full-time job to survive. If I wouldn't have to work a job to live, I would have more free time for good Samaritan pen-testing for the government if that would pay my bills instead.
In some socialist European countries, artists get subsidized by the state to create "art" instead of working. Why can't we do that with pen-testers? Sit around at home on UBI and look for zero-days in government infrastructure?
Sounds like the Dutch gov't prefers to employ folks who've gone through their hiring process. Their choice, and there are plenty of org's with more-generous bug bounty programs.
(BTW, maybe check on the origin of "Good Samaritan". His saintly disinterest in any sort of personal gain was the whole point of that story.)
I sorta agree with you, but self-reference is what makes it breaks the universe (no Hamlet, incompleteness, or halting, for example).
The t-shirt is actually kinda nice in that regard. Of course, it would go better with stuffed euros.
Note this was from 2021 (I remembered reading this a while back), but it's not in the title.
I got one of these shirts in high school for a bug I found & thought it was the coolest thing. It's funny & sets expectations – https://x.com/hacker_/status/863057296309485569/photo/1
Did they really send the T-shirt? It feels like it must be a joke.
Imagine a meeting where some bureaucrat went to their boss and said "hey this person did us a huge favor, can I get a €30 budget to specially order them a gimmick t-shirt" followed by some correspondence where the government obtained their address and shirt size, yet bizarrely not their name. I can't believe that happened.
They really send a t-shirt. And if you're really good .. a hoodie [0].
You could look at it the opposite way around - someone's come up with a genius idea to do a bug bounty on a beer budget.
[0] https://english.ncsc.nl/latest/weblog/weblog/2022/i-am-on-th...
I don't find the lack of a financial reward objectionable as long as it's clear one doesn't exist. The gimmick shirt also isn't an issue, though the process of distributing it amuses me.
A team of government workers spending paid time deciding which security volunteer deserves the most nonfinancial recognition mildly irks me.
The real favour is not taking you to court for attempting to break into critical national infrastructure. The shirt is just a fun gimmick. Beats only sending a letter, in my opinion.
Also, it's unlikely that they didn't just ask for the author's size and address. The standard disclosure process involves a temporary non-disclosure and negotiating if/when publication of the issue will take place.
The author was pleased with the response, and the process has improved since this was published.
That isn't a favour. The favour is finding the vulnerability and being nice enough to communicate to those who are impacted. If you as an organisation are shitty enough to view the reward for that a lack of punishment, nobody should be communicating that to you.
A government should have a formal response, not a joke. It downplays the work of the hacker and the severity of the issue.
This is the formal response, in accordance with the procedure documented on the website: https://english.ncsc.nl/contact/reporting-a-vulnerability-cv...
There's also more to the process than just sending a shirt.
> * If you submit your report in accordance with the procedure, then there will be no grounds for legal consequences in relation to your report. We will handle your report in confidence and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling.
> * We will only specify your name as the discoverer of the vulnerability in question if you give permission for us to do so.
> * We will confirm receipt of the report within one working day and we will subsequently send an assessment of your report within three working days. We will also give you progress updates regarding the resolution of the problem.
> * The NCSC will strive to have the the security problem identified by you resolved within no more than 60 days. Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.
> * The NCSC will also offer a reward to thank you for your help. This reward can vary from a T-shirt to gift certificates depending on the severity of the security problem and the quality of the report. To be eligible for a reward, the report must concern a serious security problem that is as yet unknown to the NCSC.
The letter was the formal response
I'd have a visit at 6 AM..
Complaining is not ethical.
Who complained? The author seems happy with his prize, even with the fair acknowledgement that it is disproportional to the value of his efforts.