Safaricom rolls out plan to reward ethical hackers

https://www.google.com/amp/s/www.businessdailyafrica.com/corporate/tech/Safaricom-rolls-out-plan-to-reward-ethical-hackers/4258474-4800276-view-asAMP-k3dv57/index.html

[SIZE=7]Safaricom rolls out plan to reward ethical hackers[/SIZE]
Telecom operator Safaricom is launching programmme to promote and encourage ethical hacking and responsible disclosure of bugs or vulnerabilities found in any of its products and services.

https://www-businessdailyafrica-com.cdn.ampproject.org/i/s/www.businessdailyafrica.com/image/view/-/4800328/medRes/2136891/-/mntwbiz/-/hack.jpg
Hackers can submit bugs they may find in a confidential and responsible manner. FILE PHOTO | NMG

IN SUMMARY
[ul]
[li]Target groups are university and college students, innovation centres like iHub and iLab, cyber security forums such as Africa Hackon, ISACA and Hackathons.[/li][li]Hackers can submit bugs they may find in a confidential and responsible manner which will then be vetted and triaged by the HackerOne team independently.[/li][li]Awards will range between Sh25,000 ($250) and Sh200,000 ($2,000) depending on the severity of the bug.[/li][/ul]

Telecom operator Safaricom is launching programme to promote and encourage ethical hacking and responsible disclosure of bugs or vulnerabilities found in any of its products and services.
The target groups are university and college students, innovation centres like iHub and iLab, cyber security forums such as Africa Hackon, ISACA and Hackathons.
Through a partnership with HackerOne, a cyber-security company, hackers can submit bugs they may find in a confidential and responsible manner which will then be vetted and triaged by the HackerOne team independently.
“The reason for starting this program was to encourage hackers to report any bugs/vulnerabilities that they may find in Safaricom’s products and services to Safaricom in a confidential and ethical manner instead of exploiting them or disclosing them to the public,” said Thibaud Rerolle, Safaricom’s Technology Director.
According to the firm if the issue is found to be valid, HackerOne will then forward it to Safaricom for confirmation before awarding the hacker for their effort.
Mr Rerolle said the award can range between Sh25,000 ($250) and Sh200,000 ($2,000) depending on the severity of the bug.
“The HackerOne platform is used by many Fortune 500 companies - the likes of Facebook, Google, Microsoft, Apple and even the US Department of Defence,” said Mr Rerolle.
As of July 2018, HackerOne’s network consisted of approximately 200,000 security researchers and had resolved over 72,000 vulnerabilities across over 1,000 customer programs and had paid over Sh3.1 billion ($31 million) in bounty rewards.
A report released by Serianu an IT services consultancy firm, showed that Kenya lost Sh21.1 billion to cybercrime in 2017, a 40 per cent increase from Sh15.1 billion in 2015.
This is a clear indication that hacking is becoming more widespread in the country and the amount of money lost to hacking is increasing rapidly.
Safaricom also wants to discover more bugs/vulnerabilities by taking advantage of crowd sourcing whereby the telco can leverage on the knowledge and skills of many ethical hackers locally and even globally instead of just relying on their own expertise.
Bug county programs are also generally more cost effective than hiring security consultants to do penetration testing.
This is because for bug bounty programs, you only pay for bug or vulnerabilities found unlike hiring security consultants who are paid based on man hours regardless of whether they find any bugs or vulnerabilities.
Serianu report stated that over 90 per cent of African companies are operating below what is called the “cyber security poverty line”, which is a big concern.
This means that most companies in Africa do not have the basic security measures to deal with cyber security threats and this puts them and their customers at great risk of losing money or even their reputation as a company.
A good example is what happened to Facebook with Cambridge Analytica data breach that cost Facebook more than $100 billion (Sh10 billion) drop in their share price and eventually forced the CEO of Facebook to be summoned by the United States Congress and apologise to the public.
Sector players say the enactment of the Computer and Cyber Crime Bill 2017 was a big step for Kenya in cyber security as crime was not well defined and as a result, it was very difficult to convict anyone of a cybercrime.
They said the proposed Data Protection Bill 2018 is also another big step towards the right direction and is in line with global data privacy laws such as General Data Protection Regulation (GDPR).
“However, a lot more still needs to be done by the government and other institutions to reach the same maturity level in cyber security laws as other more developed countries,” said Mr Rerolle.
“In 2017, the US passed over 240 cyber security related bills in various States so this goes to show you we still have a long way to go in Kenya and Africa in general,” added Mr Rerolle.

This won’t combat social engineering.

A meagre KES 200K for discovering and disclosing a bug? Wacha ikae.

I have a list of 7 bugs in safcom. Does it mean nina 1.4 mirrion waiting for collection? Anyway, ni uongo

Ongea na Mimi visuri.

Ni uongo. I don’t know anything about code or tech.

I hope they include social engineering which is my forte

the image on the article is a fake…hackers huwa hatutumii such show off blue screens and unnecessary graphs…we use terminals man…

Either way wacha ninoe visu…wanataka tuhack nini? sijasoma hio article yote

this is a joke, $250 for a bug i’d rather exploit it and earn more from it, some companies even pay $30000 for a bug saf hapa wanatubeba ufala sana

hao hackers wako kwa hiyo picha wanatumia virtual dj ama?

I actually know of a loophole that could be used to con Safaricom Mpesa agents. It’s not about hacking or anything just a con, can I still go to disclose their loophole na nitalipwa? Or is this only limited to their software vulnerability?

If I was an ethical hacker I would do the hacking and build the solution at a price they can’t afford so they will have to employ me on contract.

Deorro bado ana type …

1 bob for every transaction
ni hayo tu
sisemi kitu

Hii ndio inaitwa social eng.

Safcom rake billions alafu ulipwa 250$ upuzi kabisa

Only software vulnerability

mtu anaanzianga wapi kuhack safaricom?

Sometimes the experience that you gain from a project is worth more than the paper money. This may not seem like much, but it’s a starting point (and that’s why they’re targeting students).
I’ve done a few pen-testing side gigs (to be honest, it’s not for the money, but to polish my skills and to network with others in the field). Some projects have been extremely frustrating at some point (staying up all night and still have to go to my regular job), but at the end of the day each project has given me tons of experience. Just like any other technical field, you have to get your hands ‘dirty’ if you want to succeed in security- it’s not easy.
In short, I’d say go for it if you have time, you won’t regret it. This may also give you more references to add to your resume (CV)- and Safaricom is definitely a name you want at the top or your resume!

[COLOR=rgb(226, 80, 65)]To clarify one of the points I noted above:
[COLOR=rgb(44, 130, 201)]Penetration testing doesn’t have to be done at night. But, depending on the scope (and the phase), some companies prefer to do it during off-peak hours when it’s less likely to disrupt other major business operations. This is not a full-time job for me so I normally prefer to do it during ungodly hours.

https://www.safaricom.co.ke