Safaricom rolls out plan to reward ethical hackers

Telecom operator Safaricom #ticker:SCOM is launching programme to promote and encourage ethical hacking and responsible disclosure of bugs or vulnerabilities found in any of its products and services.

The target groups are university and college students, innovation centres like iHub and iLab, cyber security forums such as Africa Hackon, ISACA and Hackathons.

Through a partnership with HackerOne, a cyber-security company, hackers can submit bugs they may find in a confidential and responsible manner which will then be vetted and triaged by the HackerOne team independently.

“The reason for starting this program was to encourage hackers to report any bugs/vulnerabilities that they may find in Safaricom’s products and services to Safaricom in a confidential and ethical manner instead of exploiting them or disclosing them to the public,” said Thibaud Rerolle, Safaricom’s Technology Director.

According to the firm if the issue is found to be valid, HackerOne will then forward it to Safaricom for confirmation before awarding the hacker for their effort.

Mr Rerolle said the award can range between Sh25,000 ($250) and Sh200,000 ($2,000) depending on the severity of the bug.

“The HackerOne platform is used by many Fortune 500 companies - the likes of Facebook, Google, Microsoft, Apple and even the US Department of Defence,” said Mr Rerolle.

As of July 2018, HackerOne’s network consisted of approximately 200,000 security researchers and had resolved over 72,000 vulnerabilities across over 1,000 customer programs and had paid over Sh3.1 billion ($31 million) in bounty rewards.

A report released by Serianu an IT services consultancy firm, showed that Kenya lost Sh21.1 billion to cybercrime in 2017, a 40 per cent increase from Sh15.1 billion in 2015.

This is a clear indication that hacking is becoming more widespread in the country and the amount of money lost to hacking is increasing rapidly.

Safaricom also wants to discover more bugs/vulnerabilities by taking advantage of crowd sourcing whereby the telco can leverage on the knowledge and skills of many ethical hackers locally and even globally instead of just relying on their own expertise.

Bug county programs are also generally more cost effective than hiring security consultants to do penetration testing.

This is because for bug bounty programs, you only pay for bug or vulnerabilities found unlike hiring security consultants who are paid based on man hours regardless of whether they find any bugs or vulnerabilities.

Serianu report stated that over 90 per cent of African companies are operating below what is called the “cyber security poverty line”, which is a big concern.

This means that most companies in Africa do not have the basic security measures to deal with cyber security threats and this puts them and their customers at great risk of losing money or even their reputation as a company.

A good example is what happened to Facebook with Cambridge Analytica data breach that cost Facebook more than $100 billion (Sh10 billion) drop in their share price and eventually forced the CEO of Facebook to be summoned by the United States Congress and apologise to the public.

Sector players say the enactment of the Computer and Cyber Crime Bill 2017 was a big step for Kenya in cyber security as crime was not well defined and as a result, it was very difficult to convict anyone of a cybercrime.

They said the proposed Data Protection Bill 2018 is also another big step towards the right direction and is in line with global data privacy laws such as General Data Protection Regulation (GDPR).

“However, a lot more still needs to be done by the government and other institutions to reach the same maturity level in cyber security laws as other more developed countries,” said Mr Rerolle.

“In 2017, the US passed over 240 cyber security related bills in various States so this goes to show you we still have a long way to go in Kenya and Africa in general,” added Mr Rerolle.