The Ministry of Defence (MoD) has for the first time paid bounties to hackers for finding vulnerabilities in its computer networks before they could be exploited by the UK’s adversaries.
Just over two dozen civilian hackers were permitted to take part in the 30-day programme after undergoing background checks with HackerOne, a company that specialises in bug bounty competitions.
In an announcement on Tuesday, the ministry’s chief information security officer, Christine Maxwell, said the security test was “the latest example of the MoD’s willingness to pursue innovative and non-traditional approaches” to securing its networks.
Bug bounty programmes offer hackers a financial reward for discovering and disclosing software vulnerabilities so they can be fixed rather than exploited by hostile states.
Many of the largest technology companies offer monetary rewards to security researchers, or hackers, for disclosing issues so that they can be patched – and the MoD is the latest government organisation to run a specific competition for those purposes.
Trevor Shingles, one of the participants, focused on identifying authentication bypasses that would allow people already on the MoD’s systems to access material which they shouldn’t be able to.
“I was granted access to the system, but I did see more features in the system than I was meant to,” he told Sky News.
Mr Shingles, who is British but didn’t have any affiliations with the UK government before taking part in the bug bounty programme, connected to the MoD systems through a VPN (Virtual Private Network) from a comfy chair in his study at home.
Ms Maxwell said: “Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets.
“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
