The UK’s Ministry of Defence (MoD) has just completed a 30-day bug bounty challenge which opened its systems to probing by ethical hackers.
Bug bounty programs are designed to challenge “white hat” hackers to find vulnerabilities which may otherwise be exploited by those with nefarious intent. These researchers are rewarded, whilst the organization running the exercises gains valuable visibility into possible security holes.
While such programs are popular in the private sector, governments have traditionally been more reluctant to open their IT systems to probing, given the national security implications.
This is the first initiative of its kind the MoD has run and it claimed the exercise had been “extremely valuable” in helping to find and remediate vulnerabilities across the department’s networks and 750,000 devices.
The MoD said it will continue to run bug bounty programs alongside other initiatives to boost cyber-resilience and share any relevant lessons learned with the government.
MoD CISO, Christine Maxwell, argued that the initiative is part of the department’s commitment to transparency and security-by-design principles.
“It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment. Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets,” she added.
“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
The project was run by US firm HackerOne, which has also contributed to the Hack the Pentagon initiative over the past few years. That vulnerability disclosure program was recently expanded to include all publicly accessible Department of Defense information systems, not just its websites and apps.