The State of Canadian Security Research

The State of Canadian Security Research

By SecGuy | SecGuy | 16 Nov 2022


Most countries take a practical approach to the security of their web assets, giving security researchers an outlet to report vulnerabilities if they are found in good faith. For example, Our American neighbors not only have clear instructions on every .gov and .mill domain for reporting vulnerabilities, but they also list their assets on hacking platforms such as Hackerone and Bugcrowd. Likewise, the government of the Netherlands accepts vulnerabilities for all central government assets via a single channel. Canada, however, has no public channel to accept vulnerabilities except in a few departments. The Canadian Digital Service agency suggests "contact the Canadian Centre for Cyber Security." If youve found a vulnerability on Canada's government websites.

Well, what kind of reports can you submit to the Canadian Center for Cyber Security? The link provided by the CDS allows reports for "Cyber Incidents" defined by the Cyber Center as

"Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource."

Well that's interesting, reminds me of the 30 year old "Unauthorized use of a computer" law

342.1 (1) Everyone is guilty ... who, fraudulently and without colour of right,

(a) obtains, directly or indirectly, any computer service;

In essence, the government wants you to report your own "Unauthorized attempt" to access "any computer network " with no guarantee that they wont prosecute you. There is zero emphasis on fixing vulnerabilities, protecting skilled hackers, or protecting the public from government mistakes that put people at risk.

If hackers acting in good faith are not allowed to inform the government of vulnerabilities in their systems, who will find these vulnerabilities? Your public library is vulnerable, your municipal website is vulnerable, your provincial website is vulnerable, your federal website is vulnerable, and the only way that the government will notice these vulnerabilities is after we are attacked and the public is harmed.

This isn't a new issue, you can find Canadian goverment vulnerabilities published on Openbugbounty from years ago that remain unfixed. These vulnerabilities are published publicly because nobody in the Canadian Government would accept or fix the vulnerabilities. 

Every single Government websites should have a publicly listed security contact, should list a public encryption key to send in vulnerabilities safely, and should offer immunity to prosecution for research done in good faith. Instead, the government acts like it's reputation is more important than keeping people safe.

How do you rate this article?

1


SecGuy
SecGuy

Hacker guy from the north


SecGuy
SecGuy

Security opinion.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.