MOD pays ethical hackers to uncover IT flaws

MOD pays ethical hackers to uncover IT flaws

Image:
MOD pays ethical hackers to uncover IT flaws

The MOD crowdsourced pen-testing with US-based HackerOne

For the first time, the UK ' s Ministry of Defence (MOD) has paid bounties to white hat hackers for discovering security bugs in its computer networks, to raise security across its networks and devices.

The Bug Bounty Programme, which ran for 30 days, saw the MOD pay an undisclosed sum to 26 hackers, who probed the organisation's systems for vulnerabilities before they could be found and exploited by threat actors.

US-based HackerOne, which specialises in bug bounty competitions and effectively outsources pen-testing, ran the programme with the MOD.

The MOD said that it invited hackers to investigate its devices by giving them 'privileged access' to certain internal systems.

The individuals were allowed to participate only after undergoing background checks with HackerOne.

The participants were not testing public-facing assets, although the MOD and HackerOne had previously agreed on a vulnerability disclosure policy for individuals who discovered issues with those.

The programme follows the government ' s publication of its integrated review of security, defence, development and foreign policy in March, which highlighted the need for greater resilience and capabilities to tackle cyber threats. The government also used the review to call for greater collaboration with different actors.

'[We] will continue to make use of the Bug Bounty expertise, in addition to other capabilities available to ensure cyber security and resilience,' the MOD said.

James Heappey, Minister for the Armed Forces, described the Bounty Programme as an exciting new capability for the MOD.

"This work will contribute to better cyber and information security for the UK," he added.

Christine Maxwell, the MOD's chief information security officer, said that the effort was an "essential step in reducing cyber risk and improving resilience."

"Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets," she explained.

Bug bounty programmes are used throughout the industry as a way to reward ethical hackers for uncovering and reporting issues in computer systems.

The majority of HackerOne's users are organisations in the USA and Canada, followed by a long tail led by the UK, Germany, Singapore and Russia.