Why The Public Sector Will Never Support Bug Bounties

Would you believe there are some public sector sites that are still running SSL v2? This protocol version is completely riddled with holes and could open up the private keys used by a site. Overall it leaves a web site vulnerable to BEAST, FREAK, POODLE DROWN, and lots of downgrade attacks.

Leading companies such as Google and Microsoft have an active bug bounty scheme, and public sector sites should do the same. Unfortunately many public sector Web site are in poor state, and could be at a great risk of exposing citizen data. One must wonder why the public sector does not put more in place of actively scans their sites, as many of the vulnerabilities would be spotted by a simple scan from an external tool. Surely there must be weekly threat reports on the externally facing web sites?

If they supported bug bounties, many of their problems would be almost instantly fixed, as most of them are simple fixes. But as there are so many problems, a bug bounty would actually be extremely costly to put in-place.

There is often a drive by governments to transform public services in countries, but one must wonder if something gets lost along the way. For a few days I implemented a Python script which calls up the SSL Labs tool and assesses the cryptography on a range of sites.