Canadian Government to Hackers: Come Hack Us - Legally!
The Government of Canada now has a coordinated vulnerability disclosure program through HackerOne
Feature your business in Canadian Cyber in Context through sponsorship or advertising.
The Treasury Board Secretariat (TBS) recently released the Government of Canada Guideline on Vulnerability Management, which is a process to “identify, assess and mitigate information security risks associated with information technology (IT) weaknesses.” As part of this rollout, TBS launched a coordinated vulnerability disclosure program in cooperation with HackerOne, which allows cybersecurity researchers and hackers to report security vulnerabilities to the government in exchange for legal protection.
In other words, the Government of Canada has launched a program that allows people to legally hack the government to find and report vulnerabilities. (If you follow the rules to do so)
For my hackers out there, go check out the government’s HackerOne page here to learn the policy/scope and get to hacking! If you’re interested in learning more about Canada’s new vulnerability disclosure program and a short introduction to vulnerability disclosure, keep on reading.
Canadian Government Vulnerability Management
The Treasury Board Secretariat (TBS) of Canada are the “system owner” of the government’s IT enterprise and has the role of overall oversight of Canadian cybersecurity, so they are not only the ones to craft and implement the vulnerability management policy, but they are the ones in charge of the new vulnerability management program through HackerOne.
The Government’s Guideline on Vulnerability Management is built around six elements: governance; understanding business dependencies on IT assets; identification of vulnerabilities; vulnerability risk assessment; mitigation activities; and metrics, reporting and compliance. Although it is only one part of the overall guideline, identifying vulnerabilities is arguably the most critical component of vulnerability management in the first place; you can’t manage vulnerabilities if you can’t find them.
In this broader process, coordinated vulnerability disclosure is only one component of the broader Guidelines on Vulnerability Management. However, despite the importance of identification, coordinated vulnerability disclosure is one of 13 methods to identify vulnerabilities. This highlights just how extensive and exhaustive the vulnerability management process can be.
In just a few months since its March launch, more than 150 reports have been submitted through HackerOne, and 39 hackers have been thanked for their help.
What is a Vulnerability Disclosure Program?
On a very basic level, most people have their own vulnerability management process, which includes ensuring their software is updated and using software to remove malware if their device becomes infected. However, for major corporations or governments, this is a more complicated process when you have to account for multiple networks and technologies, thousands of employees with varying levels of knowledge, and criminals and state actors who are specifically developing unique malware to attack you. This necessitates developing a more rigorous vulnerability management program, which often includes a coordinated vulnerability disclosure program. Which is exactly what Canada has done.
Normally, when we think of hackers, we think of criminal hackers or cyber threat actors. Contrary to popular culture, most hackers do not engage in illegal activity. Most hackers dabble and move on to other fields, but many can make a living as ethical hackers. An ethical hacker is a hacker who uses their skills to identify and fix security vulnerabilities before they can be exploited by malicious actors or criminals. Other terms commonly used are white-hat hacker and the catch-all term cybersecurity researcher, which broadly refers to hackers who hack for the public good by identifying vulnerabilities and reporting them so they can be fixed before malicious criminals can take advantage.
Vulnerability disclosure programs were developed to allow individuals, particularly ethical hackers, to report vulnerabilities they find. However, vulnerability disclosure wasn’t always common, and ethical hacking was not always accepted.
A Hacker’s People’s History of Vulnerability Disclosure
Historically, pop culture portrayals of hackers as lone, isolated criminals are not dissimilar to those of white hat hackers, who are often portrayed as lone, isolated individuals who are not criminals. In reality, criminal hackers are the smallest group of hackers. The early criminalization of hacking for the public good led to a lack of protection for ethical hackers and discouraged vulnerability disclosure. It has only been through years of advocacy and hackers slowly becoming the founders and public leaders in information technology and cybersecurity for Western governments to realize they need to work with hackers, not demonize them.
This encouraged the rise of the offensive security and cyber/information security industries, in which penetration testing and red teaming are common practices for finding vulnerabilities. Early demonization of hackers led to their incorporation as businesses and a marketing shift, ensuring that ethical hackers could continue doing the good they were doing while also earning a livelihood. What hackers found was that they would have more protection as a business than as individuals.
It was not until the 2010s that we began to see greater acceptance of ethical hackers and the growth of coordinated vulnerability disclosure programs, allowing individual hackers to report vulnerabilities to companies.
In the best cases, individuals even receive money for disclosing vulnerabilities through bug bounty programs. Bug bounty programs are unique vulnerability disclosure programs that provide compensation to those who report vulnerabilities. How much can be earned in bug bounty programs varies, with payouts ranging, on average, from $100 on the low end to $20,000 on the high end. Nevertheless, it is not unheard of for payments to go even higher, such as Apple offering a maximum of $2 million for kernel vulnerabilities. However, these payouts are quite rare because such severe bugs are found so infrequently.
In addition, the costs of vulnerability disclosure programs or bug bounties can often pay for themselves. On average, Canadian businesses lost $6.98 million to data breaches in 2025. As a result, paying bug bounties or even the costs of running a coordinated vulnerability disclosure program can pay for itself by providing additional protection while avoiding costs associated with a data breach, including legal and recovery costs.
There are even major hacking competitions that take place annually to find vulnerabilities, such as Pwn2Own, which awarded approximately $1.3 million in 2026. These events and the expertise that they produce are so important to a country’s information security ecosystem that China forbids its hackers and security researchers from participating in any outside of China, which led to the creation of the Tianfu Cup. Vulnerability disclosure and the role of hackers in identifying vulnerabilities are highly political and play a major role in a country’s national security.
Ultimately, the goal is for these companies not to have to pay because they do not want vulnerabilities in the first place. However, the reality is that mistakes, poor training or experience, or unforeseen flaws will lead to vulnerabilities. Overall, vulnerability disclosure programs are mechanisms that allow those who can discover vulnerabilities to report them for remediation, while bug bounties are meant to provide a stronger incentive for individuals to actively find vulnerabilities. The philosophy behind this is that it should not matter where information about a vulnerability comes from if it is provided with the intention of fixing the vulnerability.
Problems Persist and Impacts of AI
Significant progress has been made since the 1990s to provide legal protections for security researchers and hackers who seek to contribute to vulnerability disclosure. However, despite this progress, acceptance of ethical hackers is not universal and many individuals and organizations remain hostile. In particular, Microsoft has recently come under fire for its botched disclosure of a vulnerability by a researcher. While the severity of the Microsoft case is rare, hostility toward security researchers and hackers remains common globally. It is not unusual for hackers attempting to warn organizations about a major security vulnerability to either be ignored or receive cease-and-desist letters when all they are trying to do is warn the organization before criminals can target them.
There is also the growing presence of AI in vulnerability identification and disclosure. Generative AI has been increasingly used in the vulnerability discovery space for a few years now, long before Anthropic made news with Mythos and Fable. This has contributed to the growing ability to discover vulnerabilities, but is also contributing to the ability for criminals to use AI for cyber attacks. However, there are many impacts on the broader vulnerability disclosure ecosystem that are not yet widely discussed outside the cybersecurity and information security spaces.
One of the first impacts has been the use of AI to mass-produce vulnerability disclosure reports that overwhelm some vulnerability disclosure programs, especially when these reports concern vulnerabilities that do not actually exist or have already been fixed. A growing long-term problem is that hackers and cybersecurity researchers will have fewer opportunities to gain experience through vulnerability disclosure. This also means that AI firms will increasingly dominate the cybersecurity ecosystem, risking the false belief that AI can be relied upon for cybersecurity.
So What - What are the Benefits?
Ethical hackers and cybersecurity researchers are an important expert community in national security, no different from law enforcement or fire departments. Packetlabs, a Canadian company specializing in red teaming and penetration testing, was even positively referred to as “white hat hackers” following their recent testimony warning about the risks of Bill C-22. It is important for those who understand and study how cyberspace can be used for malicious purposes to have the means to inform the public and the government about potential threats.
Historically, bug bounty and vulnerability disclosure programs were first run by individual companies such as Netscape and Microsoft, as well as Canadian companies like Shopify. As bug bounty programs became increasingly popular, platforms like HackerOne were launched to streamline the vulnerability disclosure, bug bounty submission, and negotiation processes between hackers and companies. This is what Canada has done for its vulnerability disclosure program. Although Canada does not (yet) allow paid bug bounties, this is a major positive step, as vulnerability disclosure programs are still uncommon among governments.
Ensuring hackers have the means to help and inform the government is what makes TBS’s new coordinated vulnerability disclosure so important. Almost 10 years ago, a CBC story detailed how the Canadian government did not want help from hackers, despite the growing trend among the United States government to accept such help. Canada has come a long way in 10 years. It is important to recognize and applaud progress, while acknowledging that there is always room for improvement. The Canadian government has a long history of poor outreach and consultation with Canadian cybersecurity and hacking experts, which has directly contributed to poor federal policy. The TBS's coordinated vulnerability disclosure program is a major step forward in addressing this gap.
I am going to wager the score: legit hackers - 1, Canadian Computer systems - 0.