Gisec 2022: du plans to offer 'bug bounty' as a service to its customers

A bug bounty is a reward given to ethical hackers who discover and report vulnerabilities

Ethical hackers in the bug bounty section of Gisec Global 2022 at the Dubai World Trade Centre. Antonie Robertson / The National

Emirates Integrated Telecommunications Company, known as du, is planning to offer a bug bounty as a service to its customers following the success of its trial programme.

A bug bounty is a reward given to ethical hackers who are able to discover and report a vulnerability – a bug – in a computer app or software, enabling solutions to be programmed before the bug becomes widespread.

The pilot phase of du's bug bounty programme, which was completed in two months and included the participation of several “elite security people”, allowed the telecom company to explore vulnerabilities before the services go to market, said Jasim Al Awadi, head of government and key accounts at du.

“We have concluded our bug bounty programme and the results are phenomenal. Very soon we will start implementing it in our network. We will have an on-premises server, then we will offer it as a service to our customers,” Mr Al Awadi told The National in an interview at the Global Information Security Expo and Conference in Dubai.

The UAE National Cybersecurity Council launched the bug bounty programme in August 2020 with the goal of strengthening the country's cyber security systems.

Du, along with e& — then known as Etisalat Group — and the Telecommunications and Digital Government Regulatory Authority, were among the first to trial it.

Abu Dhabi-based telecom operator e& – which rebranded last month – completed the first bug bounty programme in October during Gitex Technology Week.

The two-month pilot was conducted in collaboration with Yogosha, a Paris-based crowdsourced bug bounty platform, and Abu Dhabi-based defence consulting firm Beacon Red.

The global bug bounty market was valued at $223.1 million in 2020 and is projected to hit almost $5.5 billion by 2027, growing at a compound annual rate of 54.4 per cent from 2017-2027, according to California-based data provider All The Research.


Gisec day two - in pictures


By industry, internet and online services is the most served category with almost a quarter of market share, followed by computer software (16 per cent), financial services and insurance (8 per cent), media and entertainment (7 per cent) and cryptocurrency and blockchain (4 per cent), according to data from Statista.

Regionally, North America has the largest share of the market at almost 50 per cent, followed by Europe and Asia-Pacific each, with about 20 per cent. Latin America, and the Middle East and Africa account for roughly 3 per cent each, All The Research said.

Companies, most notably in Big Tech, have recruited the hacker community to assist them in this endeavour.

Google, the world's biggest internet company, handed out a record $8.7m in bounty payouts in 2021, with the biggest a $157,000 reward for a security issue found within its Android mobile operating system.

In 11 years, the company made almost $38m in payouts.

Apple's Security Bounty programme, meanwhile, is more lucrative. Successful hunters can earn as much as $1m, and the iPhone maker will even match donations of the bounty payment to qualifying charities, according to its website.

Mr Al Jasim did not provide details of du's bug bounty rewards scheme, but said the efforts of their participants have been well recognised.

Previously, about 10 to 15 years back, cyber security was a luxury item to have, but now it’s now a necessity
Jasim Al Awadi, head of government and key accounts at du

“For the bounty programme, we are part of the community and we are engaging by rewarding them based on the agreement between us and Yogosha,” he said.

The bug bounty programme is part of the wider efforts of the UAE’s wider efforts to strengthen its cyber defences at a time of an increased threat, Mr Al Jasim said.

Du, he said, continues to invest “billions” on an annual basis on its telecom infrastructure, with security “having a good chunk of that".

“We are investing in engineers, people and processes to build all of these defence mechanisms to protect the nation and the people living in it,” he said.

“About 10 to 15 years back, cyber security was a luxury item to have, but now it’s now a necessity. Cyber security is [part of our] DNA – it is something that we need to live with on a daily basis.”

Jasim Al Awadi, head of government and key accounts at du. Photo: EITC
Updated: March 22, 2022, 1:09 PM