Quebec government to pay researchers for discovering vulnerabilities
The Minister of Cybersecurity and Digital and Minister responsible for Access to Information and the Protection of Personal Information, Éric Caire, has announced the launch of the “Programme de prime aux bogues” (bug bounty program), a new initiative to enhance the security of the government’s IT assets.
It is a first in a public administration in both Quebec and Canada. The government will give controlled access to specific assets to computer security researchers specializing in the detection of vulnerabilities, allowing them to find vulnerabilities that could compromise the security of Quebeckers’ data.
With this initiative, the Government of Quebec has established a collaboration with resources who have cutting-edge expertise in the field.
“The collaboration of the Information Security research community is essential in order to effectively combat cyber threats and cyber attacks. I am proud to initiate this program which will pool the expertise of the state with that of the community. This innovative approach will certainly offer greater firepower to identify potential IT vulnerabilities in our assets and above all, to correct them quickly. Through actions like this, we will be able to increase the level of security of public services and government electronic exchanges within the Government of Quebec,” declared Minister Caire in a press release.
The selected assets will be copied into sandboxed test environments, and no personal data will be accessible to researchers who will analyze them. They will be available through the French YesWeHack platform, a European leader in the field.
The strategy should make it possible to increase security and harden Quebec’s computer assets in a beneficial way, as researchers will only be paid for the vulnerabilities discovered. Compensation ranges from $50 to $7,500 per identified vulnerability, depending on its damage potential and criticality.
The program is part of Quebec’s strategy for achieving the objectives of the Government’s Cybersecurity Policy:
- Train government personnel to provide the first security barrier against cyberattacks
- Accelerate the management of vulnerabilities within the government
- Engage in collaborative research and innovation partnerships