In a recent development, the Uganda Bankers Association has thrown its weight behind the Bug Bounty Program as part of its concerted effort to bolster the security of the financial industry against cybercrimes.
Lydia Anabo, a Security Analyst at Milima Security, has explained that this program offers monetary rewards to ethical hackers who identify and document vulnerabilities in applications for developers. If this initiative garners support from the financial industry and other users of cyber technology and application developers, it could significantly enhance overall safety and security.
This endorsement comes during October Cyber Security Month, which also coincides with new reports of cash thefts at commercial banks. Bug bounty programs are essentially incentive-based efforts, where the rewards are commensurate with the level of achievement by the ethical hacker. These rewards are contingent upon discovering exploitable vulnerabilities within a company’s systems.
Bug bounty rewards can be either monetary or non-monetary. In the realm of cybersecurity, these programs are considered essential, and many companies enlist the services of experts to assess their systems for vulnerabilities. This assessment includes penetration testing to evaluate system security.
However, there have been concerns regarding whether the ethical hackers themselves pose a security threat while assessing vulnerabilities. Experts argue that ethical hackers rely on the trust they build with their clients and are, therefore, committed to protecting it.
According to Daniel Nsumba, a Security Operations Analyst at Sec-Ops in South Africa, prior to commencing the task, a comprehensive agreement is reached between the hacker and the company. This agreement outlines the scope of the work and mandates that any discoveries must be reported. It should encompass the infrastructures included and the specific types of vulnerabilities the organization is interested in.
Alignment between hackers and the organization is deemed crucial for the success of bug bounty programs. Reporting non-critical vulnerabilities may lead to minimal or no rewards. The gravity of the vulnerabilities and the subsequent compensation are determined by the hacker’s ability to exploit these vulnerabilities and penetrate the company’s security systems.
Providing recommendations for organizations to rectify these vulnerabilities is also essential for building recognition by the company they have served.
Emmanuel Chagara, the Chief Executive Officer at Milima Cyber Security, emphasized the importance of ethical hackers and bug bounty programs in the digital age. As almost all sectors transition to digitalization, the safety of their operations becomes increasingly vulnerable to cybercriminals, highlighting the significance of the professional hacking community and initiatives like bug bounty programs.
This discussion is particularly pertinent for sectors such as banking, telecommunications, and financial technology, which are facing growing pressure concerning the financial and data privacy of their clients.
Notably, Bank of Uganda’s National Payments Systems department director, Mackay Aumo, criticized companies for prioritizing profit over the establishment of robust security systems. Recent incidents, shared on social media, include a man claiming to have lost 10 million shillings from his Equity Bank account and a woman lamenting the disappearance of 113 million from her Centenary Bank account.
Equity Bank has initiated an investigation into the incident and pledged to address the matter with the affected customer. The banks maintain that these thefts primarily occur due to customers divulging personal information to criminals, losing mobile phones, delayed reporting to the banks, and interactions with counterfeit social media sites falsely claiming affiliation with the companies, among other factors.
