Put on Your White Hat and Hack for Good
Skills-based volunteering and giving is the intersection where businesses and professionals meet with nonprofit organizations (NPOs) to deliver meaningful community impact. In this article, I would like to share how a team in PayPal started a new program for skills-based volunteering and giving, specifically in cybersecurity.
When the pandemic struck and remote working became the norm, PayPal’s Community Impact Team came together to think about alternative ways to continue volunteering and giving back to our society. This led us to explore remote skills-based volunteering, a tactic that could be delivered online under the restrictions of lockdown while tapping into the expertise and domain knowledge that our volunteers possess. This method, coupled with monetary giving, an enabler itself, had the potential to bring about positive impacts in the communities we call home.
Community Impact Teams at PayPal organize PayPal’s local social impact efforts across the globe. To amplify employees’ impact on their communities where they live and work, a credit of $10 per volunteering hour is given to employees to donate to the NPOs of their choice. Employee donations are also dollar matched.
My two passion areas are cybersecurity and volunteering, so although we offer several volunteer programs, I am most excited to share the insights from our Cybersecurity Pro Bono program.
There are two parts to this program — the volunteering portion and the fundraising portion. This initiative started in Singapore, so many of the examples cited below are localized.
This is the growing model of the streams we have so far:
Volunteering
Webcasts and Clinic on Secure ePayments for Senior Citizens
We partnered with the Infocomm Media Development Authority (IMDA) of Singapore to deliver two webcasts to senior citizens on the secure usage of online payments, benefits of contactless payments, as well as a walkthrough on how they can set up accounts with providers.
IMDA Digital Pod is a series of free online interactive classes specially curated for seniors to pick up digital skills.
About 200 seniors joined in for each of the sessions, and we were very encouraged by the level of engagement throughout, not to mention the very challenging questions that we did not quite expect!
Subsequently, we followed up with some of the seniors in a separate “Virtual Digital Clinic” that was jointly organized by IMDA and the Singapore National Library Board (NLB) where our volunteers were paired with seniors in 1:1 Zoom sessions to address questions regarding the usage of various mobile applications including payment applications.
Cybersecurity Workshop: Junior Achievement x PayPal
Junior Achievement (JA) Singapore is one of the NPOs we work very closely with. Based on the interests of JA students that we gathered, we came up with a 2-hour cybersecurity workshop curriculum targeting tertiary students.
The workshop presented the following exercises and topics:
- An overview of the global and local cyber threat landscape
- Personal security and social engineering
- Safeguarding online identity and password management
- Top 10 security risks in Web and Internet of Things (IoT)
- Email, endpoint, and IoT security
- Capture-The-Flag (CTF) competition
As a CTF fanatic myself, I had to put some competitive elements into the workshop. And gifted the winning team with PayPal-branded hoodies!
Based on the success of this curriculum, we are currently planning a similar workshop for small and medium enterprises (SMEs).
Remote Cybersecurity Pro Bono Consulting
One of our initiatives was reaching out to NPOs to offer pro bono cybersecurity consulting. While we did not get the level of traction that we hoped for due to their immediate priorities arising from the pandemic, we managed to conduct workshops with a couple of NPOs on the secure usage of remote collaboration and conferencing tools. Since this was the transition period to remote work, they found the sessions to be relevant and helpful for awareness and practicality. We are still offering pro bono consultation services on themes ranging from best practices to mentorship to secure data management.
All volunteer hours from the above-mentioned activities were tracked within our internal portal and giving credits were awarded to employees to donate to NPOs of their choice.
Fundraising
Now, let’s talk about the fundraising portion, where opportunities continue to emerge.
CTF — Cash prizes, fundraising, and write-up rewards
Many CTFs offer cash prizes for the top winning teams. Over the past few months, my colleagues and I participated in several CTFs in hopes of winning some of the cash prizes for charity. Although that has not happened yet, we did participate in post-CTF write-ups. In these reviews, organizers of CTFs search for good or innovative write-ups and offer a monetary reward.
An example would be “STACK the Flags”, a CTF organized by GovTech Cyber Security Group in December 2020, where our team had a winning entry for best write-ups and was rewarded with a monetary incentive, which we then donated to a good cause.
We also took part in Hack The Box’s Cyber Apocalypse CTF 2021 where each challenge solved unlocked a donation to a NPO.
(Update: We have since worked with Hack The Box to launch yet another Hack For Good CTF! Proceeds go to Khan Academy.)
CTF Challenge Creation
Apart from taking part in CTFs, I wanted to get a taste of what it felt like to be on the other side of the house, so I took part in the challenge creation of an upcoming CTF by the Centre for Strategic Infocomm Technologies (CSIT) of Singapore. My submitted challenge was one of the five that was accepted. The cash reward of SGD1K would be donated and doubled by PayPal’s dollar-matching support.
Bug Bounty
A few months ago, we started a “Hack for GIVES” program where we collaborated with colleagues to participate in Bug Bounty (BB), in our personal time, to raise funds for the charities of our choice. We wanted to leverage PayPal’s dollar-matching support to amplify our donation impact.
Bug Bounty is a program that rewards security researchers who find security vulnerabilities in websites, applications, or infrastructures of participating organizations.
A couple of teammates and I took part in a few programs offered on HackerOne and Bugcrowd, as well as some private programs. Lo and behold, call it beginner’s luck, we received payouts from four security bugs raised within the first couple of months! That amounted to USD1K, and USD2K if we included the dollar-match. We’ve picked a charity where that money would go towards sponsoring an underprivileged child for four years on clean water, nutritious food, healthcare, education, and safety.
Next Steps
Singapore has been a successful testbed for this program. We are looking to scale this to our other offices around the world. At the same time, we want to explore more volunteering and giving opportunities in this space and involve more participants in this program at various levels. We are looking out for the likes of employees who are trying to pick up a new skill in bug bounty or are interested to spread security awareness to students or seniors in their respective regions.
Another program that we are experimenting with is “Innovation for Good” where we would hold sessions for a working group to develop patents and donate the monetary incentives to charity.
Would any of these be something you are interested in? Or do you have something similar running in your company? Let us know in the comments below!
Article credits:
I would like to thank Stan Lee for being my mentor and reviewer of this post, Kusum Pinto for being my partner in this program, and my CTF & BB teammates for their continued support.
