The UK’s Ministry of Defence (MoD) has concluded it’s first-ever bug bounty challenge with security platform HackerOne, building on its commitment to develop a culture of collaboration around cyber security.
Bug bounty programmes, whereby hackers report real-world security vulnerabilities to affected organisations in return for monetary compensation, are used throughout the industry as a way of incentivising security research and identifying any issues before adversaries have a chance to exploit them.
During the 30-day challenge, the MoD invited hackers to investigate vulnerabilities in its digital assets by giving them direct access to its internal systems, which was done with the aim of helping the MoD secure and defend them from cyber attacks.
The challenge follows the UK government’s publication of its integrated review of security, defence, development and foreign policy from March, in which it highlighted the need for greater capacity and resilience to deal with cyber threats, especially against critical national infrastructure (CNI).
“The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process,” said Christine Maxwell, chief information security officer (CISO) at the MoD.
“It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets.
“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
In the integrated review, the government also called for greater collaboration between different actors, and warned it would need to “manage inevitable tensions and trade-offs”, such as those between “our openness and the need to safeguard our people, economy and way of life through measures that increase our security and resilience”.
The MoD claims the challenge with HackerOne is part of an organisation-wide commitment to build up a culture of transparency and openness.
Trevor Shingles, one of the 26 hackers involved, said: “For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications.
“It’s been proven that a closed and secretive approach to security doesn’t work well…This is a great example to set for not only the UK, but for other countries to benchmark their own security practices against.”
According to Shingles, he was able to identify an authentication bypass issue during the challenge, which led to his successful reporting of an OAuth misconfiguration that would have allowed adversaries to modify permissions and gain access: “Instead, [I] was able to help the MoD fix and secure.”
The collaboration with HackerOne – which also works with the US Department of Defense, the US Army and the US Airforce to secure their software – will also help the MoD more closely align itself with its allies in the United States.
According to HackerOne CEO Marten Mickos, governments around the world are waking up to the fact that they can no longer secure their vast digital environments with traditional security tools.
“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year,” he said.
“The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets, and I predict we will see more government agencies follow its example.”
In December 2020, the MoD published guidance on how hackers could report vulnerabilities in its systems or services, but said it would not offer monetary rewards for vulnerability disclosures. The hackers taking part in the bug bounty challenge were, however, compensated for their disclosures, although the amounts are unknown.
In March 2021, HackerOne’s annual Hacker report found that the number of white hat hackers reporting bugs or vulnerabilities to enterprises increased by 63% in 2020, and by 143% since 2018, demonstrating that hackers and IT security teams are working together much more frequently to manage cyber threats.
It also found that more than one-third (38%) of hackers have spent more time hacking since the start of the pandemic, with many zeroing in on emerging threats that have arisen from the shift to remote working and organisations’ consequent digital transformations.