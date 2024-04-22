In 2022, South Korean fintech app Toss launched the nation’s first bug bounty program by a finance company, inviting attacks on its security system from the outside.

Operating the program for several months in the first two years, Toss has kept the doors open starting last year so that hackers can report whenever they discover a vulnerability in Toss security. White hat -- or ethical -- hackers that make a significant discovery are rewarded up to 30 million won ($22,000).

Toss remains the only financial company operating bug bounty programs regularly, which reflects the firm’s confidence in its security level, according to Lee Jong-ho, a white hat hacker and the leader of Toss’ security tech team.

“As efficient as it is in finding weaknesses, bug bounty programs could expose all the holes, even those that the company itself was unaware of, in its security system. Running the program around the clock goes to show our readiness,” Lee said, speaking to The Korea Herald in a recent interview.

Toss is also the only local financial company that operates a “red team,” a group of cybersecurity officials tasked with simulating attacks to test the effectiveness of security systems or strategies.

Lee, professionally known by his alias, "Hellsonic," leads a team of 10 white hat hackers within the broader security tech team. Collaborating closely with the remaining members of the security team, collectively known as the "blue team," they engage in daily exercises where the Red Team attempts breaches while the Blue Team defends against them.

"Our approach begins with adopting an outsider's perspective on the system. By shedding biases, we uncover vulnerabilities overlooked by the company and try to penetrate its defenses, thus fortifying our resilience against real threats." Lee explained.

Toss elevated its security measures by crafting customized defense programs, like Toss Guard and Phishing Zero, integrating them internally. These measures not only ensure enhanced flexibility and scalability to accommodate the company's growth but also foster a tightly woven defense tailored to Toss's distinctive environment, highlighted Lee.

However, committing to enhancing security isn't a simple choice for companies, given the substantial costs involved. As reported by Viva Republica, Toss' operator, out of the total 83.9 billion won invested in information technology last year, 11.5 percent — 9.6 billion won — was exclusively used on security, marking one of the highest percentages recorded among local tech firms.

Lee emphasized that this commitment to enhancing security was the very reason he chose to join Toss.

After spending a decade at RaonSecure, a prominent security solutions provider in South Korea, Lee was approached by numerous companies, including some of the country's top firms. Toss was among those he had initially rejected.

It was the persuasion of Toss's founder and CEO Lee Seung-gun that changed his mind.

"I had the opportunity to advise Lee as an external expert, and I was truly impressed by his profound knowledge of security. Having consulted for numerous CEOs and executives, I could sense his genuine dedication to defense and the depth of his expertise," the hacker recounted. "I believed that Toss was worth staking everything on."