Ethical Hacking & Bug Bounties

I think by now it has become blatantly obvious that far too many organisations are playing it fast and loose with our data. They often well respected and talk of privacy, security and safety when in reality they’re nothing of the sort and sadly there is no way to know until it all goes terribly wrong.

Vtech have lost addresses and information about children, TalkTalk lost 15,000 bank account numbers and 157,000 customer details and Experian exposed the details of 15,000,000 people. It’s insane, week after week, month after month, year after year millions of customer details are being exposed and nothing is changing and it continues to happen.

Once that data is out in the wild there is no going back, there is no point tightening things up after the fact, it is too late. Millions of people around the world are being exposed to enhanced phishing attacks and identify fraud due to these frequent hacks.

Government Enforced Bug Bounty

I find bug bounty programmes are a great indicator of an organisations commitment to security. They’ve put their money where their mouth is and attracted the attention of every security researcher in the land, “come hack us and we’ll give you money”.

So why not legally enforce what is in essence a bug bounty programme on every company operating in the UK holding more than X number of customer records (I’m thinking a number around 5000 might work). If customer data is leaked the ICO acts as an independent body to verify the potential damage the hack could’ve caused then a fine is levied with 25% to the ICO, 25% to the treasury and 50% to the security researcher which identified the breach.


  • No significant damaged to be caused. Delete your own user account from the system, fine, delete an entire database, default.
  • Do not effect business as usual. No DDOSing of a target system for example.
  • Data pulled during a breach must be minimal and encrypted immediately. On submission you confirm this data is the only copy and has been securely stored, if it found on the Internet you will be charged by the ICO for a data breach.
  • Detailed instructions of the hack must be provided and it must be reproducible.
  • No physical hacking such as stealing a laptop and pulling the data. Although this is a valid concern we obviously can’t have people charging around stealing laptops.

Sony as an example

In 2011 Sony’s Play Station Network was hacked and the personal details and credit card numbers of millions of users were breached in a preventable attack. The ICO levied a £250,000 fine due to the severity of the attack.

  • £125,000 to a security researcher
  • £62,500 to the ICO
  • £62,500 to the treasury
  • No customer details leaked!

Now there is no guarantee that security researchers would find a hole such as this before criminals but £125,000 certainly would give them motivation to!