Suomi.fi turned into a playground for hackers – The police are only told if the worst happens

The Digital and Population Information Agency (DVV) has started cooperation with hackers for the third time. This time, the target is parts of the Suomi.fi web service, certificate services and population information system. The agreement states that if the hackers follow the agreed rules, the agency will not report their actions to the police.

Hackers are often thought of as criminals who break into information systems in order to get hold of information that does not belong to them or to cause some kind of damage, for example by means of malware.

However, this description only applies to so-called black hat hackers.

White hat hackers are another country. They search for information system vulnerabilities with permission, reporting their findings to information system administrators. In addition, you can get valuable information from them on how to better protect yourself from, for example, the black hats employed by international criminal organizations.

The expertise of white hat hackers in developing various information systems and improving information security is also utilized in Finland.

The Digital and Population Information Agency allows hackers to test the protections of the Suomi.fi service with permission. The purpose is to improve the information security of the service. The tricks of hackers who follow the agreed rules are not reported to the police. Anu Kivistö, Pasi Liesimaa

A reward of up to 30,000 euros

The white hat hackers participating in the Digital and Population Information Agency’s vulnerability reward program, which started this week, hunt for information security flaws in, for example, the Suomi.fi service owned by DVV.

You can still apply for the year-long program On the Hackrf website. Hackrfi is a company specialized in publishing and managing vulnerability award programs.

Those who discover security flaws are rewarded with 100–30,000 euros, depending on the significance of the discovery. According to Hackrf, the highest reward can be paid, for example, for a discovery that reveals a vulnerability or a chain of vulnerabilities, which can be exploited to gain access to a significant amount of users’ personal data.

“Experiences of cooperation very good”

Information security manager of the Digital and Population Information Agency Pekka Ristimäki says in the agency’s press release that the reliability of information systems is increasingly important as society’s functions become digital.

– The cooperation complements our normal application testing very well, and with it the security of digital services can be tested and developed more efficiently, Ristimäki states in the press release.

This is already the third similar DVV program.

– The experiences of cooperation have been very good, says Ristimäki.

These rules must be followed

Hackers participating in the program agree to follow strict rules under the threat of official action. The police are only contacted if the individual’s safety is threatened or the information is misused.

The rules state, among other things, that if a hacker takes advantage of a vulnerability and obtains information that he would not otherwise have obtained, he must keep the information secret. Data may also not be transferred from the server to anywhere else.

If the hacker’s activity threatens the individual’s safety more than is necessary due to the detection of the vulnerability, he will be kicked out of the program. If necessary, such activity can also be reported to the police.

All information security deficiencies must be reported through the official reporting channel, and no findings may be published elsewhere. The hacker must also ensure that his “data security research” does not cause significant harm to using the service.

The Digital and Population Information Agency, on the other hand, undertakes not to make investigation requests to the police regarding the measures taken in accordance with the rules of the program, and not to demand criminal sanctions for the perpetrators.

– The subscriber grants the information security testers participating in this program the right to carry out vulnerability testing activities and measures on the subscriber’s target system of this program, which could be interpreted as an attempt to hack data or disrupt data traffic, the program conditions say.

Sources: Digital and Population Information Agency, Hackrfi, Kaspersky

ttn-54