The Independent Uganda: You get the Truth we Pay the Price
Kampala, Uganda | THE INDEPENDENT | The Uganda Bankers Association has endorsed the Bug Bounty Program as part of efforts to improve the security of the financial industry against cybercrimes.
The Bug Bounty is the monetary reward offered to ethical hackers who specifically uncover and document vulnerabilities for application developers.
Lydia Anabo, a Security Analyst at Milima Security says if the program is embraced by the Financial Industry and other cyber technology users or app developers, it goes a long way in improving safety and security.
The discussion of the initiative comes as the world marks October Cyber Security Month, which also coincides with new reports of cash thefts at commercial banks.
Anabo explained that bug bounty programs are essentially reward-based initiatives, with the rewards determined by what you have done or achieved as a bug bounty hunter, or a professional or ethical hacker.
These rewards are dependent on finding vulnerabilities in a company’s systems, which is exploitable.
Bug bounty rewards can be monetary or non-monetary. Security experts say that in cybersecurity, bug bounty programs are essential and the reason companies often engage experts to assess their systems for vulnerabilities.
Using these vulnerabilities, penetration testing is conducted to assess system security.
There are concerns about whether the ethical hackers themselves are not a threat since they have the ability to penetrate the systems to their advantage during the vulnerability assessment exercise.
However, experts say, that ethical hackers rely on the trust they gain from their clients to exist and therefore have to protect it.
Daniel Nsumba, a Security Operations Analyst at Sec-Ops in South Africa, says before they embark on the task, an agreement is made between the hacker and the company detailing the scope of the work and that whatever is found must be reported.
This scoping should encompass the included infrastructures and the types of vulnerabilities the organization seeks.
So, according to him, alignment between hackers and the organization is crucial for bug bounty programs.
Reporting non-critical vulnerabilities may result in no or minor rewards.
The seriousness of the vulnerabilities, and therefore the right to be paid, is based on the hacker’s demonstration that he can use the vulnerabilities to penetrate the company’s security systems.
Providing recommendations for organizations to address these vulnerabilities is also essential to enhancing one’s recognition by the company they have served.
On how important or essential ethical hackers and bug bounty hunters are, Emmanuel Chagara, the Chief Executive Officer at Milima Cyber Security, says the industry cannot be ignored because of the digital transformation pace.
With virtually all sectors becoming digitalized, the safety of their operations is also becoming more vulnerable to cybercriminals, hence the importance of the professional hacking community and programs like bounty hunters.
The discussion was deemed critical, especially for bankers, telecommunications, and financial technology sectors which are increasingly coming under pressure over the financial and data privacy of their clients.
Recently, Bank of Uganda National Payments Systems department director Mackay Aumo faulted the companies for rushing to make money and neglecting the need to first ensure strong security systems.
Recent incidents filmed and circulating on social media show a man who said he had lost 10 million shillings from his account at Equity Bank, and another lady crying over the disappearance of 113 million from her Centenary Bank account.
Equity said it was investigating the incident and was ready to address it with the customer.
The banks have always maintained that the thefts arise from customers giving away their personal details to criminals, loss of mobile phones, and delay in reporting to the banks, as well as dealing with fake social media sites purporting to belong to the companies, among other mistakes.
*****
URN
