The Ministry of Defence (MoD) has for the first time paid bounties to hackers for finding vulnerabilities in its computer networks before they could be exploited by the UK’s adversaries.
Just over two dozen civilian hackers were permitted to take part in the 30-day programme after undergoing background checks with HackerOne, a company that specialises in bug bounty competitions.
In an announcement on Tuesday, the ministry’s chief information security officer, Christine Maxwell, said the security test was “the latest example of the MoD’s willingness to pursue innovative and non-traditional approaches” to securing its networks.
Bug bounty programmes offer hackers a financial reward for discovering and disclosing software vulnerabilities so they can be fixed rather than exploited by hostile states.
Many of the largest technology companies offer monetary rewards to security researchers, or hackers, for disclosing issues so that they can be patched – and the MoD is the latest government organisation to run a specific competition for those purposes.
Trevor Shingles, one of the participants, focused on identifying authentication bypasses that would allow people already on the MoD’s systems to access material which they shouldn’t be able to.
Mr Shingles, who is British but didn’t have any affiliations with the UK government before taking part in the bug bounty programme, connected to the MoD systems from a comfy chair in his study at home.
Ms Maxwell said: “Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets.
“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
Mr Shingles said he didn’t want to go into “the finer points” about the rewards he received, but added that it was “nice to see the MoD taking the same direction with their security as the US Department of Defence (DoD)”, which has run bug bounty programmes previously that he participated in.
Katie Moussouris, a security researcher and the chief executive of Luta Security, worked with the US DoD to launch the Pentagon’s first bug bounty programme in 2016 after pioneering some of the fundamentals in the vulnerability disclosure field.
Before working with the DoD, she started Microsoft’s bug bounty programme in 2013, working out the game theory and economics which would make bug bounties viable for a company which was then receiving up to 250,000 free vulnerability reports a year from the community of security researchers.
“From there, I was invited to brief the Pentagon on how to take such a complex problem and scale it so that it could work in large, complex organisations like the US Department of Defence,” Ms Moussouris told Sky News.
Following that, Luta Security was contacted by the UK’s National Cyber Security Centre (NCSC) to help shape the British government’s mechanisms for coordinating vulnerability and bug reports.
“I had worked with MoD back in that pilot programme, so it’s nice to see that they’ve taken a few years to get their processes in order – which is exactly what we recommend,” she added.
“Bug bounty programmes are a useful tool, but only if you’ve invested in preparations to fix those bugs in the first place. Even more importantly, that you’ve invested your own resources to try to uncover low-hanging fruit yourself first.
“I’m happy for my friends over in MoD, that I know they were eager to start a bug bounty programme even back when I was working with them a couple years back.
“So it’s good to see that they have managed to mature their processes and get themselves ready for a bug bounty in that time,” she added.
Martin Mickos, the chief executive of HackerOne, said: “Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore.
“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the U.S government making it mandatory for their federal civilian agencies this year.
“The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”