The Secretariat for Telecommunications and Digital Transformation is launching a vulnerability search programme known as Bug Bounty through the Cybersecurity Agency of Catalonia. The programme aims to identify vulnerabilities in the ministries of the Generalitat de Catalunya and in its public sector, as an innovative measure complementing traditional scans.

This is a pioneering programme among government agencies in Spain, which began in April 2023 and will continue for at least a year. The Government of Catalonia is the first to launch an ethical hacking project of this type, which will allocate 70,000 euros to highlighting the vulnerabilities found by the cybersecurity specialists taking part.

The Secretary for Telecommunications and Digital Transformation, Sergi Marcén, stressed that “Catalonia must not only be digital, it must be a benchmark in digital transformation and have a leading position in training, collaboration and innovation.”

With this initiative, Catalonia is promoting talent and ethical hacking, enhancing protection and prevention capacities, and fostering innovation in digital system cybersecurity. “If we failed to adopt initiatives like these, hackers would only find a focus for their vocation on the dark web, and therefore on the kind of hacking that destroys things. We want hacking that builds things,” said the director of the Cybersecurity Agency of Catalonia, Tomàs Roy Català.

The commitment of the Catalan public administration to providing the country’s citizens and businesses with the best possible public services means that it must transform itself digitally, adopt new technologies and focus its processes on data.

This programme ensures that areas on which standard scans are unable to focus can be reached, increases the likelihood of identifying potential vulnerabilities by leveraging our collective intelligence in Catalonia with the participation of the research community, and performs ongoing security monitoring, as it is a long-term programme.

Ethical hacking projects are an established practice at the corporate level in the private sector, but they are not yet common in the public sector.

In December 2020, the Agency, in partnership with the Directorate General for Digital Services and Citizen Experience (then known as Citizen Services), launched a vulnerability scanning pilot test on a number of assets belonging to the Generalitat de Catalunya.

In the wake of the positive conclusions from the 2020 experience, the Generalitat de Catalunya decided to incorporate this type of programme as a new tool for achieving more secure public information systems, fostering participation and talent in cybersecurity and making government agencies more accessible to citizens.