“White-hat” hackers who spot a security vulnerability in a computer system or network may be one of the most sought after professions in Japan today with technology firms struggling with increasing threats of cyberattacks.
In an effort to strengthen education on system security and train ethical hackers, a state-run Japanese college has launched a bug-hunting contest among its students.
White-hat hackers are those who detect security weakness to prevent “black-hat” malicious hackers from infiltrating computer systems, and stealing and destroying data.
In 2014, Cybozu introduced a “bug bounty” programme, allowing white-hat hackers to test its system and paying them cash rewards for finding any vulnerability.
Akitsugu Ito, an official of the Tokyo-based software company, said the firm pays up to 500,000 yen (US$4,400) for each problem detected. About 370 vulnerabilities had been recognised by the end of last year under the bug bounty programme, he said, adding the total payout has amounted to around 15.6 million yen.
“Outside security experts have special expertise in discovering security problems,” Ito said. “They can identify bugs that cannot be spotted in our tests.”
Line, the operator of the popular free messaging application in Japan, followed suit in 2016.
Meanwhile, Sprout, a cybersecurity venture in Tokyo, launched a business in 2016 aimed at connecting security-conscious companies with white-hat hackers around the world. The company takes security vulnerability reports from bug hunters and pay rewards to them on behalf of the member companies.
The number of contract companies now totals 10 including Pixiv, an online community site for artists who want to exhibit their work, and Avex Group Holdings, a major entertainment business company. More than 430 hunters have been awarded a total of 3.9 million yen under the programme.
On the educational front, Chiba University has organised a bug-hunting contest for its students.
“It is the first such attempt by a Japanese national university,” said an official of the university based in Chiba, east of Tokyo.
An orientation session held in mid-January for the contest attracted a greater than expected 50 students.
No cash is paid to those taking part in the contest, which is held as part of the university’s curriculum to enhance people’s awareness of computer security. Instead, students recognised competent in detecting security vulnerabilities are eligible for non-monetary gifts.
“We expect those who perform excellently in the contest to play a leading role in the security industry in the future,” said Tetsuya Ishii, vice-president of Chiba University.
Bug bounty programmes are very common in the US, often organised by multinational technology companies such as Google and Microsoft. The US Department of Defence introduced the “Hack the Pentagon” pilot bug bounty programme last year.
Technology companies in Japan find it imperative to train qualified computer security experts in response to cyberattacks that have become very sophisticated and complex.
Sprout President Seigen Takano said: “Many of our clients are finding bug bounty programmes effective and we are receiving an increasing number of inquiries. Bug bounties could proliferate explosively.”