Only $250 instead of a million. To find vulnerabilities in Dіє failed for hackers
In December, the Ministry team of the digital transformation supported by the Agency for international development (USAID) held on the Bugcrowd platform testing service Da. Vulnerabilities that would affect the safe was never found. Hackers were able to detect only two technical bug low level, which was immediately fixed by the developers GA, according to the website of Minsitry.
Among found during babaulti bugs the office notes the following items:
- The ability to generate such a QR code, when reading which mobile application crashes with the error. This problem does not affect the security of user data, therefore, received the lowest priority level P5.
- The possibility of obtaining information on the insurance policy of the car of the user when modifying the application, if known, the license number and car VIN number. Because this information and so it is free and does not contain user data or service, which would fall under the protection of the Law “On protection of personal data “, the vulnerability level P4.
Representatives of the platform Bugcrowd announced that experts revealed the vulnerability of the level of P4 will receive $250 from a total prize Fund, which amounted to $35 000. Bug detection level P5 programs did not provide for payments from the prize Fund.
Bug bounty (Bug Bounty) is a process in which the company engages third-party experts on cyber security testing of its software to vulnerabilities. For each found vulnerability (a bug) people get a reward (bounty).
Just to bug bounty applications Da was attracted by 84 professionals who meet the criteria, 14 of which are Ukrainians.