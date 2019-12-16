ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronEye IconIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailMenu BurgerPositive ArrowIcon PrintIcon SearchSite TitleTitle ChevronIcon Twitter
Technology

'White hat' hackers rustle few cybersecurity bounties in Japan

Google pays up to $1.5m for detection, but Toyota offers only thanks

MANAMI OGAWA, Nikkei staff writer
Unlike black hat hackers who attack systems for gain and to cause damage, white hat hackers seek to discover vulnerabilities in order to strengthen defenses.   © Reuters

TOKYO -- Companies such as Google and Tesla are offering greater incentives for "white hat" hackers to find flaws in their systems, but Japanese businesses are dragging their feet despite the growing role software plays in all aspects of industry.

Japan's shortcomings in cybersecurity have been well publicized. A malicious actor could shut down ventilation systems for entire buildings through old, insecure management systems, several hackers told Nikkei. ATMs at most regional banks have the potential to be accessed through outside computers as well.

"We could even change deposit balances," one hacker said.

More companies now regard generous rewards to white hats, or ethical hackers, as being cheaper in the long run than risking a cyberattack that damages their brands. But Japan remains far behind the curve.

Toyota Motor has a system where it thanks outside hackers who discover bugs on its website -- but not in its vehicles. The automaker offers no monetary rewards. Technology companies such as  NEC and Fujitsu have no rewards schemes for white hat hackers at all.

"Culturally, Japanese companies don't like to admit that they have problems," a source familiar with the issue said.

Many U.S. and European companies aggressively court white hat collaborators. Google said at the end of November that it would pay as much as $1.5 million to hackers who find remote-control vulnerabilities for Android devices, up from a cap of $200,000. The new figure is the highest ever promised publicly by a corporation.

Apple bolstered its bounty to $1 million from $200,000. Tesla and Fiat Chrysler Automobiles offer $15,000 and $7,500, respectively, while Starbucks has a cap of $4,000. Asian companies are part of the trend as well, with Singaporean ride-hailing app Grab offering $10,000.

The average reward for discovering cyber vulnerabilities has jumped 70% worldwide in two years to $3,380 in 2018, according to U.S.-based HackerOne.

NAR on print phone, device, and tablet media