As you know, the ICANN org provides systems and platforms for the ICANN stakeholder community to collaborate. The security and stability of these systems is vital. Our Engineering and Information Technology (E&IT) teams work hard to ensure that these systems are reliable, scalable, and secure for all ICANN meetings held around the world.
This is a resource-intensive endeavor, so we are exploring options to harden our systems against potential vulnerabilities more quickly. This includes exploring a "bug bounty" program to reward responsible reporters, including those in the ICANN "white hat" community. We are also considering hiring additional third-party experts to help us in these efforts.
We are going down this path for a few reasons. First, we recently concluded an annual third-party cybersecurity audit, which indicated we have not progressed at a rate that we're satisfied with.
Second, we were notified by a trusted community member of two system issues that have now been resolved. Based on our investigation, we have no indication that these issues were exploited by anyone other than the person who reported the incidents. At this time, it is our belief that neither of these vulnerabilities resulted in personal data breaches that would have triggered legal notice requirements. However, per our processes, and in the spirit of openness and transparency, we have added them to our public cybersecurity incident log.
I want to emphasize how grateful I am to the community member for reporting these issues. A letter acknowledging his efforts will be posted soon on our correspondence page. I encourage you to follow his lead and report any issues you are aware of by emailing vulnerability@icann.org.
I will continue to update you on our efforts to harden our systems as we move forward with this process. I have enjoyed seeing and talking with the many community members that have joined us in Barcelona, Spain, and I want to remind you that remote participation is available for ICANN63.
