The UK Ministry of Defense (MoD) today announced the completion of its first bug bounty competition, run with Hackeron. The program was a 30-day security trial conducted by hackers, aimed at identifying vulnerabilities before they could be exploited by adversaries. Based on the results of the so-called Integrated Review of the British Government, it has committed itself to “a strong position in matters of security and resilience” and to “a focus on openness as a source of prosperity”. The MoD program now underway is part of an organisation-wide commitment to establish a culture of transparency and security cooperation to tackle cyber threats and improve UK national security.
Christine Maxwell, Chief Information Security Officer (CISO) at the UK Ministry of Defence, said: “The Department of Defense has adopted a ‘Secure by Design’ strategy that requires transparency to identify areas to improve the development process.” “It is important for us to expand our digital and cyber growth prospects to attract employees with specialized skills, energy and motivation. Working with the community of ethical hackers allows us to increase our staff of technical experts and help them from different directions. Enables us to protect and defend our resources. Understanding where we have vulnerabilities and working with the larger ethical hacking community to identify and address those vulnerabilities to reduce cyber risk and improve resilience It is a necessary step.”
Bug bounty programs create incentives for security research and reporting of real security gaps. In exchange for reporting actual and documented vulnerabilities, those involved receive a corresponding financial bonus. These programs are a common practice in business and are run by the most progressive government organizations and companies around the world. By reporting vulnerabilities to security teams, ethical hackers are helping the UK Department of Defense keep their digital assets secure and defend against cyber attacks. This bug bounty contest is the latest example of the Defense Ministry’s willingness to adopt innovative and unconventional approaches to ensure the capabilities and security of people, networks and data. The UK Department of Defense also requires its partners to adopt the “Secure by Design” principles of the supply chain to ensure compliance with DEFCON 658 and DefStan 05-138.
“The fact is, a closed and covert approach to security doesn’t work well,” says Trevor Shingles aka @sowhatsec, one of 26 ethical hackers who participated in the UK Department of Defense program. “I focused on identifying vulnerabilities related to bypassing authentication methods. These allow unauthorized users to access systems they should not be able to access. I was able to successfully spot and later report an OAuth misconfiguration that would have enabled me to change permissions and gain access. Instead, though, I was able to help the Department of Defense fix it and secure it in the future. The Department of Defense’s openness to provide authorized access to its systems is the real proof that it is using all the means at its disposal to make its applications truly robust and secure. This is a great example not only for the UK but also for other countries against which they can measure their approach to security.”
“Governments around the world are increasingly realizing that they can no longer protect their vast, digital environments with traditional security tools,” said Hackron CEO Maarten Mikos. “A formal process for reporting third-party vulnerabilities is considered best practice around the world, and the US government this year mandated it for its civilian federal agencies. The UK Department of Defense will secure its digital assets. Leading the UK Government through pioneering and collaborative solutions. And I think other government agencies will follow suit.”
Integration with partners and allies contributes to the UK Department of Defense’s goal of being digitally secure and resilient. And the bug bounty program also ensures that the MoD is on par with its partners in the United States. Because the US Department of Defense, the US Army, and the US Air Force all work with the Hackerone ethical hacker community to make their software more secure.
Organizer. Zombie aficionado. Wannabe reader. Passionate writer. Twitter lover. Music scholar. Web expert.