Published on the 13/10/2020 | Written by Heather Wright
Bank joins growing numbers crowdsourcing cyber bug control…
National Australia Bank has launched the first bug bounty program for Australasian banking, paying hackers who find previously undisclosed vulnerabilities in its systems.
The new program comes just weeks after the bank – the parent company of Bank of New Zealand – said it had been hit by nearly three million cyber threats a day in the second quarter of 2020. The 261 million threats blocked in the second quarter is a dramatic increase on the 197 million seen in Q1.
Nick McKenzie, NAB executive enterprise security, says using controlled crowdsourcing methods would assist NAB to further test and strengthen its existing cybersecurity capabilities.
“Moving to a ‘paid bounty’ gives us the ability to attract a wider pool of ethically-trained security researchers.”
“Controlled, crowdsourced cybersecurity brings together uniquely skilled testers and security researchers with fresh perspectives to uncover vulnerabilities in our defences that traditional assessment might have missed,” McKenzie says.
Of course, the bank won’t be letting just anyone loose on its systems. Instead, it’s using vetted ‘security researchers’ from crowdsourced security company Bugcrowd. To be part of the NAB program, the security researchers will need to have an ‘Elite Trust Score’ on the Bugcrowd platform.
Bugcrowd, whose backers include Blackbird Ventures, Paladin Capital Group and Salesforce Ventures, has companies including Mastercard and payments processing provider Square among its client lineup.
The bug bounty model and ethical hacking platforms, are becoming increasingly popular. Apple, Facebook, GitHub, Google, Microsoft and Intel all offer bounty programs. Zoom, which previously ran a bug bounty on the HackerOne platform, hired Luta Security to handle its program earlier this year.
It’s a method that is also apparently having success, providing a diversity that improves resilience in security testing.
Bugcrowd, which has more than 1,200 customers using its crowdsourced security, claims its ethical hackers prevented US$8.9 billion of cybercrime last year, and says they will mitigate a projected $55 billion by 2025. As to how much is being paid out, bounties for critical vulnerabilities were up 27 percent to $2,670, though internet of things manufacturers were proving the most lucrative payment wise, with an average payout of $8556 per critical vulnerability.
Meanwhile HackerOne, the largest ethical hacking platform, says its hackers have helped find and resolve more than 181,000 vulnerabilities, with one-third of those reported in the past year alone, with the ‘vulnerability researchers’ awarded more than US$44.7 million in bounties in the past year, up 86 percent year on year.
But while HackerOne, which runs bug bounty programs for the US Department of Defense among others, has more than 830,000 hackers on its books, CEO Marten Mickos said last year only about 5,000 were really ‘doing well’. More than 50 hackers earned more than $100,000 in 2019 from the bounties, while nine hackers have now earned more than $1 million from the HackerOne platform.
As to the clients, HackerOne has more than 1,600 organisations on its books, including a who’s who of big names: General Motors, PayPal, Goldman Sachs, Hyatt, Lufthansa, Starbucks, Nintendo…
Financial services make up more than seven percent of the market (internet and online services, followed by computer software firms make up the biggest chunk of HackerOne’s clients).
NAB’s McKenzie says proactive cybersecurity measures are ‘vital’ in today’s hyperconnected environment, where new threats are constantly emerging.
“Diversity is a critical, yet often overlooked, factor in security and controls strategies,” he says.
“Moving to a ‘paid bounty’ gives us the ability to attract a wider pool of ethically-trained security researchers from across the globe.”
NAB says while the hackers will work in live environments, they won’t have access to any customer information, and the activities will not affect customers’ banking experience.
As we went live with this story, Bank of New Zealand hadn’t replied to queries from iStart as to whether the program will be deployed on BNZ systems as well.