I hacked the Dutch government and all I got was this t-shirt
- General
- by Jacob Riggs
- 04-05-2021
The NCSC-NL (National Cyber Security Centre – Netherlands) sent me a ‘lousy’ t-shirt on behalf of the Dutch government.
Together with the t-shirt was a thank you letter.
Thank you for bringing a vulnerability to our attention. Together with vulnerability reporters like you we can increase the resilience of Dutch society in the digital domain and better protect our systems and systems of our partners.
This was a pleasant response to receive and illustrates a far better approach to engaging with ethical hackers than traditional threats of prosecution.
However, there’s been some past controversy within the security community on whether this type of reward disincentivises ethical hacker participation by undermining the value inherent in VDP and bug bounty programs. Some argue that the effort researchers need to invest in helping to find and responsibly report vulnerabilities to government organisations far outweighs the level of compensation value these novelty rewards are worth.
My view is that expectations should be managed realistically, and maybe the focus should shift away from pursuing personal gain to instead encouraging wider public sector adoption of better security practices. I’m happy with my t-shirt and appreciate the efforts the NCSC-NL went to. It’s certainly a better response than some of the other governments I’ve reported vulnerabilities to.
