Tinkoff Data Guard Corporate Vulnerability Scanning Program

2024: Corporate Vulnerability Scanning Program Announcement

On April 18, 2024, Tinkoff announced the launch of a comprehensive data protection vulnerability search program, Data Guard, for all its employees. This is a corporate program with a focus on data security, providing rewards for each of the Tinkoff teams, regardless of level. This was told by the vice-president, director of the information security department of Tinkoff Dmitry Gadar.

source = Tinkoff

As reported, under the Data Guard program, any person from the 90,000th team (as of April 2024) Tinkoff can receive a reward for reporting various vulnerabilities and problems related to data security. These can be technical vulnerabilities in internal services and APIs, problems with delimiting access to data, as well as weaknesses associated with processes and business logic (for example, the transfer of insufficiently protected or redundant data). The reward is credited to a personal account in the form of T-Money local currency, which can be spent on equipment, gadgets and merch at Tinkoff Shop.

The amount of payment depends on the criticality of the vulnerability found. As part of ensuring the security of personal data, Tinkoff fulfills all the necessary requirements for the protection of bank secrecy, and also regularly develops fintech information security tools.

The Data Guard program will help to further optimize the identification of problems related primarily to the human factor. Also, as part of ensuring security, Tinkoff conducts events and training:

• Month of Bugs competitions - employees actively search for vulnerabilities in various products for a reward for a month;
• CTF (Capture The Flag) - sports hacking championship among employees;
• own blog on the internal Space portal - the blog publishes information about typical vulnerabilities in applications, real cases of closing bugs, as well as recommendations on how not to become a victim of hackers and fraudsters, a security culture is developing that helps both at work and at home.

To protect your data, you can use your company's internal resources in different ways. At Tinkoff, we are constantly looking for security solutions, developing our own data control solutions, and also regularly providing training for all employees whose work is related to data. As our experience shows, after training, employees begin to be more attentive to the security of data circulation, more often pay attention to possible violations of the company's rules and protocols - and inform the information security team about all cases that raise questions for them. Therefore, we decided to introduce remuneration for employees for reporting problems and vulnerabilities in data security within the group. The Data Guard program has passed several stages of testing with the involvement of different teams, with the help of employees it was possible to detect and solve interesting and non-obvious problems. Now we have expanded this program to everyone - each of the Tinkoff team (90 thousand people) can report a problem for a reward: from managers to line managers and representatives. Based on the results of the launch of Data Guard within the group, we also plan to make this program open to everyone - in addition to existing bug-bounty programs. told Dmitry Gadar, Vice President, Director of the Information Security Department of Tinkoff

Tinkoff has been developing the bug bounty program for many years to search for vulnerabilities by external researchers - "white hackers." In a public format, hunters can join the program at all vulnerability search sites available in Russia: Bi.Zone Bug Bounty, Standoff 365 BugBounty and Bugbounty.ru. As part of the program, Tinkoff paid more than 25 million rubles to "white hackers," and the largest payment amounted to 1.5 million rubles.