The MoD announces the results of its first-ever bug bounty program with HackerOne

The United Kingdom’s Ministry of Defence (MoD) today announces the conclusion of its first bug bounty challenge with HackerOne. The Ministry of Defence program was a 30 day, hacker-powered security test aimed at surfacing vulnerabilities before they can be exploited by adversaries. Following the recent U.K. Integrated Review, the Government has called for “a more robust position on security and resilience” and “an emphasis on openness as a source of prosperity.” The MoD Challenge is part of an organization-wide commitment to build back a culture of transparency and collaboration around security to combat cyber threats and improve national security.

“The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said Christine Maxwell, Chief Information Security Officer (CISO) at the MoD. “It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

Bug bounty programs incentivize security research and the reporting of real-world security vulnerabilities in exchange for monetary rewards for qualified vulnerabilities. These programs are an industry best practice leveraged by the most mature governments and organizations across the world. By disclosing vulnerabilities to security teams, ethical hackers will help the Ministry of Defence secure its digital assets and defend against cyberattacks. This challenge is the latest example of the MoD’s willingness to pursue innovative and nontraditional approaches to ensure the capability and security of people, networks, and data. The MoD also calls for its “secure by design” principles to be adopted by its supply chain as it conducts audits to ensure compliance with DEFCON 658 and DefStan 05-138.

“It’s been proven that a closed and secretive approach to security doesn’t work well,” said Trevor Shingles a.k.a @sowhatsec, one of the 26 ethical hackers on the MoD’s program. “I focused on identifying authentication bypasses that would allow unauthorized users to access systems they shouldn’t. I successfully reported an OAuth misconfiguration, which would have allowed me to modify permissions and gain access, but instead was able to help the MoD fix and secure. For the MoD to be as open as it has with providing authorized access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications. This is a great example to set for not only the U.K., but for other countries to benchmark their own security practices against.”

“Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore,” says Marten Mickos, CEO of HackerOne. “Having a formalized process to accept vulnerabilities from third parties is widely considered best practice globally, with the U.S. government making it mandatory for their federal civilian agencies this year. The U.K. MoD is leading the way in the U.K. government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”

Integrating with partners and allies contributes to the MoD’s aim of being digitally secure and cyber resilient and the bug bounty program aligns the MoD with its allies in the United States. The U.S. Department of Defense, the U.S. Army and the U.S. Air Force all collaborate with HackerOne’s ethical hacking community to make their software safer.

About HackerOne

HackerOne empowers the world to build a safer internet. As the world’s most trusted hacker-powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Starbucks, Twitter, and Verizon Media. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020.

About the UK Ministry of Defence

Ministry of Defence - GOV.UK (www.gov.uk)

What the MoD does: “We work for a secure and prosperous United Kingdom with global reach and influence. We will protect our people, territories, values and interests at home and overseas, through strong armed forces and in partnership with allies, to ensure our security, support our national interests and safeguard our prosperity.” MOD is a ministerial department, supported by 24 agencies and public bodies. Based on 1st April 2021 statistics the MOD has 198,880 Regular and Reserve Service personnel plus 56,920 Civil personnel.