The United Kingdom’s Ministry of Defence (MoD) announced the conclusion of its first bug bounty challenge with HackerOne. The Ministry of Defence program was a 30-day, hacker-powered security test aimed at surfacing vulnerabilities before they can be exploited by adversaries.
Following the recent U.K. Integrated Review, the U.K. government has called for “a more robust position on security and resilience” and “an emphasis on openness as a source of prosperity.” The MoD Challenge is part of an organization-wide commitment to build back a culture of transparency and collaboration around security to combat cyber threats and improve national security.
“The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said Christine Maxwell, Chief Information Security Officer (CISO) at the MoD. “It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
Bug bounty programs incentivize security research and the reporting of real-world security vulnerabilities in exchange for monetary rewards for qualified vulnerabilities. These programs are an industry best practice leveraged by the most mature governments and organizations across the world. By disclosing vulnerabilities to security teams, ethical hackers will help the Ministry of Defence secure its digital assets and defend against cyberattacks.
This challenge is the latest example of the MoD’s willingness to pursue innovative and nontraditional approaches to ensure the capability and security of people, networks, and data. The MoD also calls for its “secure by design” principles to be adopted by its supply chain as it conducts audits to ensure compliance with DEFCON 658 and DefStan 05-138.
“It’s been proven that a closed and secretive approach to security doesn’t work well,” said Trevor Shingles a.k.a @sowhatsec, one of the 26 ethical hackers on the MoD’s program. “I focused on identifying authentication bypasses that would allow unauthorized users to access systems they shouldn’t. I successfully reported an OAuth misconfiguration, which would have allowed me to modify permissions and gain access, but instead was able to help the MoD fix and secure. For the MoD to be as open as it has with providing authorized access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications. This is a great example to set for not only the U.K., but for other countries to benchmark their own security practices against.”
“Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore,” says Marten Mickos, CEO of HackerOne. “Having a formalized process to accept vulnerabilities from third parties is widely considered best practice globally, with the U.S. government making it mandatory for their federal civilian agencies this year. The U.K. MoD is leading the way in the U.K. government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”
Integrating with partners and allies contributes to the MoD’s aim of being digitally secure and cyber resilient and the bug bounty program aligns the MoD with its allies in the United States. The U.S. Department of Defense, the U.S. Army and the U.S. Air Force all collaborate with HackerOne’s ethical hacking community to make their software safer.