Challenge

About responsible vulnerability disclosure programme ‘Hack me if you can‘

Caring for security of its own and that of others, the City of Vilnius openly invites its citizens to contribute to the enhancement of cybersecurity by participating in the municipality’s programme for responsible vulnerability disclosure called 'Hack me if you can'. The programme will provide the opportunity to identify gaps in one of the 5 websites hosted by the municipality. The participants are expected to be incentivised not by a reward or bounty, as no such things is offered, but by the will to contribute to strengthening city’s cyber resilience. The City of Vilnius is the first public institution in Lithuania courageously taking the initiative to change a rather reserved approach towards cybersecurity in Lithuania.

Solution

Responsible vulnerability disclosure

Cybersecurity vulnerability disclosure is considered responsible when the discovered vulnerabilities are first revealed to the organization which is the owner of the systems and infrastructure where they have been found. By having a responsible vulnerability disclosure programme, the organization provides clear rules and responsibilities as well as outlines which methods and processes should be used and followed. Such set of guidelines assures that the activities performed while testing are not disruptive and will not be considered as malicious act.

Currently Lithuania does not have a national approach towards legal aspects of responsible vulnerability disclosure, however, this should not constrain organizations to initiate, prepare and start using disclosure programmes and the City of Vilnius is a great example.

The City of Vilnius project

NRD Cyber Security experts have assisted the City of Vilnius to prepare the responsible vulnerability disclosure programme. Whilst arranging it, our team has:

  • Compiled the principles of the programme, identified the rights and obligations programme participants have so that the discovered vulnerability would not be used for malicious purposes;
  • Identified methods which are off limits for testing and assessing so that normal business processes and practices are not disturbed;
  • Shared our knowledge and experiences in implementing responsible vulnerability disclosure programme in Lithuania and elsewhere.

Jonas Pidkovas, Head of Innovation and Technology Group at the Vilnius City Administration:

"We really enjoyed working with NRD Cyber Security - not only did they due what was written in the contract, but they also provided us with best international practices and we collaboratively worked and discussed to arrive at programme blueprint which was most suitable for us."