Japan turns ‘white-hat’ hackers loose to kill cyber-bugs

TOKYO — “White-hat” hackers who spot a security vulnerability in a computer system or network may be one of the most sought-after professions in Japan today, with technology firms fighting off increasing threats of cyber attacks.

In an effort to strengthen education on system security and train ethical hackers, a state-run Japanese college has launched a bug-hunting contest among its students.

White-hat hackers are those who detect security weakness to prevent malicious “black-hat” hackers from infiltrating computer systems, and stealing and destroying data.

In 2014, Cybozu Incorporated introduced a “bug bounty” programme, allowing white-hat hackers to test its system and paying them cash rewards for uncovering any vulnerabilities.

Mr Akitsugu Ito, an official of the Tokyo-based software company, said it pays up to ¥500,000 (S$6,250) for each problem detected.

About 370 vulnerabilities had been recognised by the end of last year under the bug bounty programme, he said, adding that the total payout has amounted to around ¥15.6 million.

“Outside security experts have special expertise in discovering security problems,” Mr Ito said. “They can identify bugs that cannot be spotted by our tests.”

Line Corporation, the operator of the popular free messaging app in Japan, followed suit last year.

Meanwhile, Sprout Incorporated, a cyber security venture in Tokyo, launched a business last year aimed at connecting security-conscious companies with white-hat hackers around the world. The company takes security vulnerability reports from bug hunters and pays them rewards on behalf of the member companies.

The number of contract companies now totals 10, including Pixiv Incorporated, an online community site for artists who want to showcase their work, and Avex Group Holdings Incorporated, a major entertainment business company. More than 430 hunters have been awarded a total of ¥3.9 million under the programme.

On the educational front, Chiba University has organised a bug-hunting contest for its students. “It is the first such attempt by a Japanese national university,” said an official of the institute based in Chiba, east of Tokyo.

An orientation session held in mid-January for the contest attracted a greater-than-expected turnout of 50 students.

No cash is paid to those taking part in the contest, which is held as part of the university’s curriculum to enhance people’s awareness of computer security. Instead, students recognised as being competent in detecting security vulnerabilities are eligible for non-monetary gifts.

“We expect those who perform excellently in the contest to play a leading role in the security industry in future,” said Chiba University vice-president Tetsuya Ishii.

Bug-bounty programmes are common in the United States, often organised by multinational technology companies such as Google and Microsoft. The US Department of Defense introduced the “Hack the Pentagon” pilot bug-bounty programme last year.

Technology companies in Japan find it imperative to train qualified computer security experts in response to cyber attacks that are becoming increasingly sophisticated and complex.

According to Sprout president Seigen Takano: “Many clients find bug-bounty programmes effective, and we are receiving an increasing number of inquiries.

“Bug bounties could proliferate explosively,” he said. KYODO NEWS