A government announcement links to a document named “bug bounty-final eddition” in English. The Register has passed that document through a pair of online translation services and it calls for suppliers willing to bid for a licence to operate a bug bounty program.
Would-be providers will need to be capable of operating public and private bounty programs, with the latter reserved for sensitive matters such as hacks of critical infrastructure.
Iran also seems to be willing to follow bug bounty conventions by offering prizes.
It’s not hard to guess why Iran thinks a bug bounty program is a good idea: in 2010 its nuclear program was famously the target of the Stuxnet worm. Iran is also regarded as sponsoring a proxy war with Saudi Arabia, and to have interfered with the recent US elections by distributing fake news and sending menacing emails to voters.
Iran is also implementing e-government services, so needs to feel they are secure from both criminals and nation-state attacks.
The US Department of Treasury’s FAQ regarding sanctions on Iran explains that software designed to facilitate secure communications for Iranians can be exported with a licence but mentions extensive interlocking bans on other software exports. The Register believes those regulations would make it very hard indeed for a bug-bounty-as-a-service provider to score this gig.
Participating in a future Iranian bug bounty program also looks risky, as sanctions prevent dealing with the nation’s government.
Iran does possess a busy infosec community that has occasionally won bug bounties offered by other nations.