MoD pays ‘ethical hackers’ to discover flaws ahead of the bad guys

Last week, the UK’s Ministry of Defence (MoD) announced the completion of its first Bug Bounty programme. It engaged with 26 ethical hackers and US firm HackerOne to identify vulnerabilities across the Defence’s networks and its 750,000 devices. In its Integrated Review published earlier this year, the government committed to a more robust position on security and resilience as part of its wider plans to ensure transparency and collaborate with partners to improve national security.And the success of this first Bug Bounty programme means that the MoD intends to continue the programme. Minister for the Armed Forces James Heappey said: “Bug bounty is an exciting new capability for the Ministry of Defence. Our cyber teams are collaborating with the ethical hacking community to identify and fix vulnerabilities in our systems, ensuring we’re more resilient and better protected. This work will contribute to better cyber and information security for the UK.”How did it work?The MoD introduced its own Bug Bounty programme through which white hat hackers disclosed vulnerabilities to the UK government department without fear of prosecution. It partnered with HackerOne and published a submission form that ‘ethical hackers’ could use to report any bugs or flaws with the MoD’s systems.Researchers who found any vulnerabilities had to include details of the website IP or page where the vulnerability could be observed, a brief description of its nature, and steps to reproduce. The MoD said: “If you believe you have found a vulnerability on any MoD system, you can report using HackerOne’s ‘submit a vulnerability report’. We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it.“This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the MoD or partner organisations to be in breach of any legal obligations.”Was it a success?The MoD has said it was. The ethical hackers were given access to a carefully curated set of internal MoD systems. How sensitive these were is unknown and it has not revealed how many vulnerabilities were identified and remediated or what it paid. What is important is that the MoD prioritised remediation of all vulnerabilities that were detected. It shows a willingness to take advice and react accordingly, something that is not always the case in cybersecurity. Christine Maxwell, Ministry of Defence Chief Information Security Officer, said: “The Ministry of Defence has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process.“It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”HackerOne CEO, Marten Mickos added: “Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore.“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year. The MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”Setting a good exampleOne participant, Trevor Shingles, said he was able to alert the MoD to a flaw he uncovered which would have allowed an adversary to modify permissions and gain access.“It's been proven that a closed and secretive approach to security doesn't work well,” he said.“For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications. This is a great example to set, not only for the UK, but for other countries to benchmark their own security practices against.”

Your cyber intelligence source

MoD pays ‘ethical hackers’ to discover flaws ahead of the bad guys

Related content

Microsoft Pushes Forward Launch of Recovery Tool

Palo Alto Networks Dismiss Number of Vulnerable Firewalls

Government Security Group Seeking New Members and Expertise

Microsoft Takes Down Phishing-as-a-Service Domains

Research: Half of Working Week Commonly Lost to Manual Tasks

Five Named and Charged in SMS Phishing Effort

Businesses Commonly Attacked Outside of Working Hours

Upcoming Events

MoD pays ‘ethical hackers’ to discover flaws ahead of the bad guys

Related content

Microsoft Pushes Forward Launch of Recovery Tool

Palo Alto Networks Dismiss Number of Vulnerable Firewalls

Government Security Group Seeking New Members and Expertise

Microsoft Takes Down Phishing-as-a-Service Domains

Research: Half of Working Week Commonly Lost to Manual Tasks

Five Named and Charged in SMS Phishing Effort

Businesses Commonly Attacked Outside of Working Hours

Upcoming Events

Confirm cancellation

Sign up benefits