Location: Home / Article / Ministry of Defence makes first ever bounty payments to hackers

Ministry of Defence makes first ever bounty payments to hackers

One-Stop Service Platform |
89

The Ministry of Defence (MoD) has for the first time paid bounties to hackers for finding vulnerabilities in its computer networks before they could be exploited by the UK's adversaries.

Just over two dozen civilian hackers were permitted to take part in the 30-day programme after undergoing background checks with HackerOne, a company that specialises in bug bounty competitions.

In an announcement on Tuesday, the ministry's chief information security officer, Christine Maxwell, said the security test was "the latest example of the MoD's willingness to pursue innovative and non-traditional approaches" to securing its networks.

Defence secrets exposed by people sending files to personal email accounts

Bug bounty programmes offer hackers a financial reward for discovering and disclosing software vulnerabilities so they can be fixed rather than exploited by hostile states.

Many of the largest technology companies offer monetary rewards to security researchers, or hackers, for disclosing issues so that they can be patched - and the MoD is the latest government organisation to run a specific competition for those purposes.

Advertisement

Trevor Shingles, one of the participants, focused on identifying authentication bypasses that would allow people already on the MoD's systems to access material which they shouldn't be able to.

"I was granted access to the system, but I did see more features in the system than I was meant to," he told Sky News.

More on Ministry Of Defence

Babcock and Rolls-Royce plot sale of stakes in RAF Voyager contractor AirTanker

Senior civil servant removed from Ministry of Defence after losing stash of top secret documents

'Perils' remain in Afghanistan, warns Johnson, as UK's 20-year military campaign ends

Senior MoD civil servant at centre of investigation into how sensitive military documents turned up at bus stop

Sensitive documents discussing HMS Defender's passage through Black Sea 'found at bus stop in Kent'

Johnson-Putin summit possible if Russia ends 'malign activity', defence secretary says

A spokesperson for Hacker One explained that the participants had privileged access to some of the MoD's internal web apps in scope, and were not testing public-facing assets, although the company and the ministry last December agreed on a vulnerability disclosure policy for people who found issues with those.

Mr Shingles, who is British but didn't have any affiliations with the UK government before taking part in the bug bounty programme, connected to the MoD systems through a VPN (Virtual Private Network) from a comfy chair in his study at home.

Ms Maxwell said: "Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets.

"Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience."

Mr Shingles said he didn't want to go into "the finer points" about the rewards he received, but added that it was "nice to see the MoD taking the same direction with their security as the US Department of Defence (DoD)", which has run bug bounty programmes previously that he participated in.

Image:

Trevor Shingles was among the hackers to receive a bounty from the MoD

Katie Moussouris, a security researcher and the chief executive of Luta Security, worked with the US DoD to launch the Pentagon's first bug bounty programme in 2016 after pioneering some of the fundamentals in the vulnerability disclosure field.

Before working with the DoD, she started Microsoft's bug bounty programme in 2013, working out the game theory and economics which would make bug bounties viable for a company which was then receiving up to 250,000 free vulnerability reports a year from the community of security researchers.

"From there, I was invited to brief the Pentagon on how to take such a complex problem and scale it so that it could work in large, complex organisations like the US Department of Defence," Ms Moussouris told Sky News.

Following that, Luta Security was contacted by the UK's National Cyber Security Centre (NCSC) to help shape the British government's mechanisms for coordinating vulnerability and bug reports.

"I had worked with MoD back in that pilot programme, so it's nice to see that they've taken a few years to get their processes in order - which is exactly what we recommend," she added.

"Bug bounty programmes are a useful tool, but only if you've invested in preparations to fix those bugs in the first place. Even more importantly, that you've invested your own resources to try to uncover low-hanging fruit yourself first.

"I'm happy for my friends over in MoD, that I know they were eager to start a bug bounty programme even back when I was working with them a couple years back.

"So it's good to see that they have managed to mature their processes and get themselves ready for a bug bounty in that time," she added.

Image:

The bounties meant that vulnerabilities could be fixed rather than exploited

Martin Mickos, the chief executive of HackerOne, said: "Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore.

"Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the U.S government making it mandatory for their federal civilian agencies this year.

"The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example."