In 2022, fintech application Toss launched the first ‘bounty hunting’ program in Korea, inviting outsiders to attack its information system.
During the first two years, Toss’s program only ran for a few months, but since late 2023, the company has maintained it continuously. Hackers can report vulnerabilities whenever they discover them to the application. These white hat hackers can be rewarded up to 30 million won (more than half a billion dong) if they find serious errors.
Toss is the only financial company that operates a regular bug bounty program in Korea. It reflects the company’s confidence in its security capabilities, according to Lee Jong Ho – a white hat hacker and head of Toss’s security department.
Lee Jong Ho, head of security at Toss. Photo: Korea Herald
Sharing with Korea Herald, Lee said the bug bounty program can expose all the vulnerabilities that a company is unaware of in its security system. In addition, Toss is also the only Korean company with a “red team” – a term for a team of cybersecurity staff tasked with simulating attacks to test the effectiveness of systems or strategies. security.
Toss’s red team includes 10 white hat hackers in addition to Lee. They coordinate with the “blue team” (defense team) every day. “When we eliminate biases, we uncover vulnerabilities that companies overlook and manage to penetrate defenses, thus strengthening our resilience against real threats.” , Lee explains.
Toss has enhanced its security measures by creating customized defense programs, such as Toss Guard and Phishing Zero, integrating them internally. These measures not only ensure flexibility and scalability to accommodate the company’s growth, but also promote a tight defense system suited to Toss’s unique environment, Lee emphasized. .
However, committing to increased security is not a simple option for companies due to the significant costs involved. According to a report by Viva Republica – Toss operator, of the total 83.9 billion won invested in information technology last year, 11.5% – equivalent to 9.6 billion won – was dedicated to security, a among the highest rates recorded among Korean technology companies.
Lee shares this commitment to increased security as the reason he chose to join Toss. After spending a decade at security solutions provider RaonSecure, Lee was sought after by many companies. At first, he refused Toss but then was persuaded and changed by founder and CEO Lee Seung Gun.
Lee emphasized that Toss’s defense system was not perfect. As technology advances, it is ironically easier for cybercriminals to infiltrate our daily lives, he noted. Generative AI technologies such as large language models, ChatGPT… bring new attack methods, reducing barriers to entry for cybercriminals. In addition, there is also ransomware offered as a monthly fee service.
Noting that this market is growing rapidly, Lee believes that it is important that companies develop their own security systems instead of relying on pre-existing solutions. At the same time, it is necessary to increase overall awareness to minimize the risk of cyber attacks. He proposed that cybersecurity should be included in mandatory education programs, just like learning about fire safety in schools.
