MoD offers bounty to ‘ethical hackers’ to find security flaws before cyber criminals do

Danielle Sheridan
·2-min read
hacked computer
hacked computer

The Ministry of Defence has become the first government department to pay "ethical hackers" to thwart cyber criminals.

The department's first bug bounty program saw 26 of the “hackers” invited to go under the bonnet of its networks for 30 days, in a bid to get ahead of bad actors and improve national security by exposing vulnerabilities.

Bug bounty programs offer people a financial reward in exchange for reporting technical flaws. Despite it being a non-traditional approach for the MoD, it is common practice among the technology industry and has already been adopted by the US Department of Defence.

Defence cyber teams are now working with the ethical hacking community in order to ensure better security across defence networks and its 750,000 devices.

Christine Maxwell, the MoD's chief information security officer, said the move was an "essential step in reducing cyber risk and improving resilience".

"Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets," she explained.

One participant, Trevor Shingles, said he was able to alert the MoD to a flaw he uncovered which would have allowed an adversary to modify permissions and gain access.

"It's been proven that a closed and secretive approach to security doesn't work well," he said.

"For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications.

"This is a great example to set for not only the UK, but for other countries to benchmark their own security practices against."

James Heappey, minister for the Armed Forces, said the bug bounty was an “exciting new capability” and that collaboration with ethical hacking would ensure “we’re more resilient and better protected”.

“This work will contribute to better cyber and information security for the UK,” he said.

Marten Mickos, chief executive of HackerOne, which works with ethical hackers, said: “Governments worldwide are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore.

“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year.

“The MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories