Share this article on:
The South Australian government will create a bug bounty program for cyber security researchers who identify vulnerabilities in its internet-facing services.
The Department of Premier and Cabinet (DPC) revealed the plans in an approach to market this week, as vulnerability reports continue to climb worldwide.
The community vulnerability management service would create a formal way for the department to engage the community, and better manage the discovery of vulnerabilities.
Until now, the South Australian government has had an “ad hoc” arrangement, where citizens can report cyber security issues they discover.
In line with other bug bounty programs, the department has revealed it will pay cyber security researchers “financial rewards” for uncovering any vulnerabilities.
The planned bug bounty program comes after a damning audit last year that found penetration testing and vulnerability scanning to be “limited and ad hoc” at the majority of agencies assessed.
Around 80 per cent of the 292 public-facing environments assessed had not been pen tested in the last three years, including 47 per cent of environments holding sensitive information.
Few state and territory governments have previously revealed the existence of formal bug bounty programs.
In 2019, NSW Customer Service Minister Victor Dominello stated that NSW had created such a program as part of the development of the NSW digital driver’s licence.
While the DPC has offered no timeframe for when the bug bounty program might start, it plans to enter a contract for up to the next two years with the successful supplier in July.
In last year’s budget, the government set aside $20 million to improve the state’s cyber defences, a significant portion of which will be used to create a cyber security operations centre (CSOC).
The CSOC will build on the existing security watch desk and cyber threat intelligence team in the Office for Cyber Security with DPC.
According to the government’s ICT, cyber security and digital government strategy, cabinet has also approved a number of other initiatives to address “significant” cyber security vulnerabilities.
[Related: Check Point appoints new ANZ MD]
SA gov to create bug bounty program
Looks to replace “ad hoc” vulnerability reporting from July.