The Incomes Register will utilise hackers to test data security


At the end of October, the Incomes Register will kick off a bug bounty program in which hackers will try to expose possible vulnerabilities in the Incomes Register's data security. A reward will be paid to those cyber security researchers, so-called white hat hackers, who are able to find vulnerabilities. The amount of the reward depends on the significance of the risk discovered.

The Tax Administration tested a bug bounty, i.e. a vulnerability reward program, in the MyTax service in 2017. The program yielded positive results and will now be implemented in the Incomes Register as well. The aim is for a group of cyber security researchers to find possible vulnerabilities in the system and for the problems to be fixed immediately upon discovery.

'Dozens of hackers took part in the MyTax bug bounty program. We discovered multiple vulnerabilities in the service that would not necessarily have been discovered with the usual security checks. The biggest reward for a single observation was EUR 3,500,' says Samuli Bergström, Tax Administration's Safety Manager.

In the Incomes Register's bug bounty, the hackers will look for vulnerabilities in the testing environment. The hackers will get to test the system extensively in the testing environment, as no actual personal or income data are stored in this environment. Thus, the hackers will not target the real personal or income data in the Incomes Register. The bug bounty program will not compromise the usability and security of the Incomes Register.

Over 43 million earnings payment reports have been submitted to the Incomes Register

The Incomes Register, launched in January 2019, is an electronic database into which data concerning paid wages and remunerations is reported. The amount of data stored in the Incomes Register is enormous. The number of submitted earnings payment reports alone is over 43 million so far.

The Incomes Register contains the earnings payment data of every Finnish citizen. Data security is high on the list of priorities. Using hackers to find vulnerabilities is an interesting addition to the usual data security practices.

'The Incomes Register is a fairly new system that contains massive amounts of data. In the future, an even larger group of officials and other organisations will utilise the Incomes Register data. The system is still constantly being developed and new vulnerabilities may appear. Therefore, we hope that hackers will continue to be interested in working with the Incomes Register for a long time,' Bergström says.

The bug bounty program utilises communality

Bug bounty is a communal way of testing data security. In a bug bounty program, a selected group of hackers tests a specific system according to their own interests.

'Let's hope that the Incomes Register's vast database will inspire a large group of hackers to take part in the program. The more participants there are, the better the results will probably be,' says Bergström.

The Incomes Register's bug bounty will start at the end of October

So far, only a selected group of white hat hackers has been invited to take part in the Incomes Register's bug bounty program. The selected hackers have received personal invitations. The cyber security researchers participating in the program will commit to following the Tax Administration's rules.

The Incomes Register's bug bounty program will start at the end of October. The Tax Administration will implement the bug bounty program in cooperation with 2NS Oy and portal.

Read more: Tax Administration makes communal data security testing permanent ­– hackers welcome to test the data security of e-services in the future as well (In Finnish)