Of the 1.6 Billion Won in Rewards, 1.44 Billion Provided by KISA
"Companies Must Invest in Addressing Their Own Vulnerabilities"
Amid growing concerns over cybersecurity following hacking incidents involving domestic companies, it has been revealed that the government provides 90% of the rewards for bug bounty programs (security vulnerability reporting reward systems).
According to data submitted by Assemblyman Han Minsoo of the Democratic Party of Korea, a member of the National Assembly's Science, ICT, Broadcasting and Communications Committee, from the Korea Internet & Security Agency (KISA), a total of approximately 1.6 billion won in vulnerability reporting rewards was paid out between 2020 and the first half of 2025, with KISA providing about 1.44 billion won (approximately 90%) of the total.
Under the current reward system, companies and KISA share the budget. Only companies participating as joint operators are responsible for paying rewards for vulnerabilities found in their own systems, while KISA covers the rewards for all other companies using government funds.
KISA continuously receives reports of security vulnerabilities and organizes a quarterly evaluation committee comprised of professors, vulnerability experts, and software business representatives to assess the reported vulnerabilities. Based on factors such as the potential scope of incidents and ease of exploitation, rewards ranging from 50,000 won to 10 million won are provided.
KISA has operated this system since 2012 to expand private sector participation with government support, but in the 13 years since its introduction, only 33 companies have participated as joint operators in the vulnerability reporting reward program. Among them, only five companies-Naver, Kakao, Samsung SDS, LG Electronics, and Genian-have transitioned to independent operation.
Assemblyman Han stated, "Bug bounty programs are actively utilized in countries such as the United States and the European Union, but domestic companies still lack the willingness to voluntarily invest in security. Our companies must not hesitate to invest in identifying and addressing their own security vulnerabilities."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
