The Incomes Register invites hackers to test information security

A new bug bounty programme will start in the Incomes Register in October 2023.

The programme aims to identify any security vulnerabilities in the testing environment. By testing information security in a testing environment resembling the production environment, the Incomes Register’s actual personal and income data will not be subject to hacking. This also ensures that the Incomes Register’s availability and security are not at risk during the programme.

Bug bounty programmes have been used in the Incomes Register since 2019. The previous programme ended in 2021. The Finnish Tax Administration used the programme for the first time in 2017 in the MyTax service.

No significant information security vulnerabilities have been discovered in the Incomes Register during the previous programmes. However, information security has been improved further based on the observations made concerning such factors as the service’s reliability.

Dozens of hackers have participated in the programmes.

– We would like to thank all participants: the quality and level of the observations we have received have been really high and useful to us. We hope that as many of the hackers invited to the new programme want to test the service in equally various ways as before, says Samuli Bergström, Director of Security and Risk Management at the Finnish Tax Administration.

Ensuring information security and the safe processing of data are vital principles in the e-services and all activities of the Incomes Register and the Finnish Tax Administration.

Bug bounty programmes test information security through crowdsourcing

A total of 10–20 information security testers, or white hat hackers, will be invited to the Incomes Register’s new programme. In other words, participation in the bug bounty programme is by invitation only.

A reward will also be paid to hackers who report their information security observations. The amount of the reward depends on the significance of the risk identified. The participating hackers commit to abiding by the Finnish Tax Administration’s rules, including the payment of rewards for validated observations only. In addition, hackers commit to keeping any identified vulnerabilities secret and avoiding causing any unnecessary disturbance to the service. Furthermore, the participants must be independent. This means that they cannot be employed by the Finnish Tax Administration or be involved in the development of the service being tested.

The programme will be carried out in cooperation with the French YesWeHack service.

– We believe that the international service provider helps us reach an even larger group of hackers. Of course, we hope that any hackers who have previously tested the service want to give it another go, Bergström says.