The British Ministry of Defense (MoD) today announced the completion of the first bug bounty competition, which will take place with hacker executed. The software was a 30-day security test conducted by hackers, which was intended to identify vulnerabilities before they could be exploited by adversaries. Based on the results of the so-called UK Government Integrated Review, it has committed itself to a “stronger position in terms of security and resilience” and “a focus on openness as a source of prosperity”. The Department of Defense program now under way is part of an organisation-wide commitment to establish a culture of transparency and security cooperation to combat cyber threats and improve the UK’s national security.
“The Ministry of Defense has adopted a ‘security by design’ strategy in which transparency is essential to identify areas for improvement in the development process,” said Christine Maxwell, Chief Information Security Officer (CISO) at the UK Ministry of Defense. “It is important for us to expand our digital and electronic development capabilities in order to attract employees with special skills, energy and motivation. Working with the ethical hacker community allows us to increase our staff of technical experts and protect and defend our resources from different directions. Understanding our vulnerabilities and working with the hacking community is a Identifying and addressing these vulnerabilities is an essential step in reducing cyber risks and improving resilience.”
Bug bounty programs create incentives for security research and reporting of real vulnerabilities. In exchange for reporting real and documented vulnerabilities, those involved receive a corresponding monetary reward. These programs are common business practice and run by the most advanced government institutions and corporations around the world. By reporting vulnerabilities to security teams, ethical hackers help the UK Ministry of Defense secure its digital assets and defend against cyber attacks. The bug bounty competition is the latest example of the Department of Defense’s desire to take innovative and unconventional approaches to ensuring the capabilities and security of people, networks, and data. The UK Ministry of Defense is also requiring its partners to adopt ‘safety by design’ principles to the supply chain to ensure compliance with DEFCON 658 and DefStan 05-138.
“The reality is that a closed, covert approach to security doesn’t work very well,” says Trevor Shingles aka sowhatsec, one of the 26 ethical hackers involved in the UK MoD programme. “I focused on identifying vulnerabilities related to bypassing authentication methods. These allow unauthorized users to gain access to systems they should not be able to access. I was able to successfully detect and report an OAuth configuration error that would have enabled me to change permissions and gain access. Instead, it has been able to help the MoD fix it and secure it for the future. The MoD’s openness to granting authorized access to its systems is real proof that it is using all the means at its disposal to effectively strengthen and secure its applications. This is a great example not only for the UK but also for other countries against which they can measure their security approaches.”
“Governments around the world are increasingly realizing that they can no longer protect their massive digital environments with traditional security tools,” said Martin Mikus, CEO of Hackerone. The formal process for notifying third-party vulnerabilities is a best practice worldwide, and the US government made it mandatory for its civilian federal agencies this year. The UK Ministry of Defense is at the forefront of the UK government by providing pioneering and collaborative solutions to securing its digital assets. I suppose other government agencies will follow suit.”
Integration with partners and allies contributes to the UK Ministry of Defense’s goal of digital security and resiliency. The bug bounty program also ensures that the Department of Defense is on an equal footing with its allies in the United States. The US Department of Defense, US Army, and US Air Force work with the Hackerone Ethical Hacker community to make their programs more secure.
“Award-winning music trailblazer. Gamer. Lifelong alcohol enthusiast. Thinker. Passionate analyst.”