Our 1st initiative
The HackYourMom team proposes to implement a rather important, in our opinion, state initiative, where security.txt is the national standard of Bug Bounty programs throughout Ukraine. Now we will explain to you in more detail what the meaning of this initiative is, but first we will familiarize ourselves with the basic terms that need to be understood for a better understanding of our proposal.
Security.txt -is a proposed website security standard designed to make it easy for private researchers (hackers, security engineers) to report security vulnerabilities on websites directly to the owners of those resources. To date, security.txt files have been adopted by such tech giants as Google, GitHub, LinkedIn, and Facebook.
Bug Bounty програма – it is a process in which a company engages third-party cyber security experts (hackers, security engineers) to test its software for vulnerabilities for an instant reward. For each vulnerability (Bug), the hacker receives a reward (Bounty). The company publicly announces the scope (from the English “Scope” – “volume”) of works, the level of reward for the vulnerability, and anyone can register and participate in the Bug Bounty program.
Now that you know the basic terminology, let’s get down to the nitty-gritty and take a closer look at our state initiative.
As we said above, we propose to make security.txt the national standard of Bug Bounty programs throughout Ukraine. The meaning is that placing this file at the root of all government sites will allow all private researchers (hackers, security engineers) to send information about the vulnerability of Ukrainian state resources directly to the owner of these resources without the need to register on additional Bug Bounty platforms. We believe that this decision is the best for the country for several reasons:
1) This decision allows you to get rid of corruption risks that may arise during the search for third parties, private companies or Bug Bounty platforms that provide services in the field of information security. Lobbying of the interests of such companies is often carried out for the purpose of pursuing personal financial gain, and the companies themselves do not always provide high-quality services to detect critical vulnerabilities in government websites.
2) Placing security.txt at the root of all government sites eliminates any mediation between the customer (state) and the specialist (hacker), thereby improving the quality of services, as an open financial reward will attract a large number of interested high-quality specialists to solve the necessary tasks.
3) The presence of security.txt at the root of all state sites will enable specialists to work with all state sites at the same time, which speeds up the process of eliminating critical vulnerabilities of all states. sites of the country tenfold. Hundreds of specialists can search for vulnerabilities in the same number of states every day. sites, while intermediary companies will be able to work with a maximum of several sites at the same time, spending more time and attracting more monetary resources.
4) This decision is financially more profitable for both the state and the specialists who perform the work. Without the presence of a third party, the state will be able to offer a more profitable financial reward for the vulnerability found, and the specialist, performing the work, will not pay a percentage to intermediaries. At the same time, despite the fact that each specialist will earn more, the total amount of money spent by the state will turn out to be less than when working with intermediaries.
5) The high demand created by the state will stimulate the growth of interest among citizens in the field of cyber security, which in turn will lead to the growth of high-quality specialists in Ukraine and the accelerated development of the IT industry in the country.
6) We want to give everyone an opportunity to participate in improving the information security of state resources of Ukraine.
As you can see for yourself, based on the arguments presented above, the implementation of this state initiative fully meets the interests of our country and will cause significant and fairly rapid changes in the field of state cyber security, which is certainly a very important factor for the high-quality work of state structures and the preservation of private state information
