DICT Taps Ethical Hackers to Strengthen Government Cybersecurity
MANILA, Philippines—The Department of Information and Communications Technology (DICT) is turning to ethical hackers to help uncover vulnerabilities in government digital systems, as part of its newly rolled-out Safe Harbor Policy and Bug Bounty Program (SHPBBP).
Under the initiative, certified “white hat” hackers—cybersecurity professionals who legally test systems for weaknesses—will be authorized to attempt controlled intrusions into government and partner platforms. Their goal: identify security gaps before malicious actors can exploit them.
Legal Protection With Clear Boundaries
The program is governed by Department Circular HRA-002, which outlines a legal framework granting ethical hackers protection from lawsuits, provided they strictly follow DICT guidelines.
Participants are allowed to test only pre-declared systems and platforms. They are expressly prohibited from altering data, deleting files, disrupting public services, or accessing systems beyond the approved scope.
Any vulnerabilities discovered must be reported privately and directly to the DICT. Public disclosure is not allowed until the issue has been resolved. Failure to comply with these conditions will result in the removal of legal immunity and forfeiture of any potential rewards.
Two-Tiered Bug Bounty Program
The SHPBBP is divided into two tracks:
- Private Program – Limited to a select group of vetted cybersecurity experts
- Public Program – Open to independent cybersecurity researchers and ethical hackers who meet the program’s requirements
Rewards and recognition will depend on the severity of the vulnerability identified. High-impact findings—such as those that could lead to full system compromise—will receive the highest bounties.
Before joining, participants must submit formal requirements, including signing an agreement affirming good faith, ethical conduct, and regulatory compliance.
Safeguards Against Conflict of Interest
To maintain integrity, DICT personnel and third-party vendors currently working with the agency are disqualified from receiving rewards or recognition under the program. The department also urged its private-sector partners to enforce similar conflict-of-interest policies.
Funding for bug bounties will be sourced from the budgets of agencies whose systems are tested, according to the DICT. The department is likewise encouraging private partners to contribute through financial assistance or in-kind support such as cybersecurity training initiatives.
Scope Covers Public and Private Sectors
The program applies to all government agencies, including state-owned and controlled corporations. It also extends to private companies that are part of the Public-Private Cybersecurity Partnership Program, broadening the country’s overall cyber defense network.
With cyber threats continuing to evolve, the DICT said the initiative aims to foster collaboration between government and the cybersecurity community, strengthening the country’s digital resilience through responsible and transparent vulnerability testing.
Source: Phil Star
