MoD offers first-ever bug bounty to find vulnerabilities in defence systems

Written by Sam Trendall on 4 August 2021 in News

Department runs 30-day exercise in partnership with ethical hackers

Credit: Archives New Zealand/CC BY 2.0

The Ministry of Defence has run its first-ever bug bounty exercise, in which hackers were offered potential rewards for finding security vulnerabilities in IT systems.

The department worked with US-based company HackerOne, which operates a platform allowing organisations to post bug bounties and engage with cybersecurity experts, such as hacking specialists and penetration testers. A 30-day exercise saw 26 hackers work with the MoD to identify potential cyber vulnerabilities across defence infrastructure networks and an estate of 750,000 end-user devices.

In recent years, bug bounties have become increasingly widely used among businesses and government bodies. Most big tech firms – including Google, Microsoft, and Facebook – run bug-bounty programmes, and the European Commission and the US National Security Agency have also operated reward schemes.

The MoD’s adoption of the concept comes in light of the government’s Integrated Review of defence and foreign policy, published earlier this year, which the ministry said “committed to a more robust position on security and resilience”.

Related content

“This challenge is part of wider plans to ensure transparency and collaborate with partners to improve national security,” it added. “MoD will continue to make use of the bug bounty expertise, in addition to other capabilities available to ensure cybersecurity and resilience.”

The ministry said that hackers taking part in the initiative had “praised defence for its openness and willingness to embrace new tools and capabilities”.

Armed forces minister James Heappey described the use of bug bounties as “an exciting new capability for the Ministry of Defence”.

HackerOne chief executive Mårten Mickos said that the ministry was just the latest among many “governments worldwide [that] are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore”.

“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year,” he added. “The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

Departments to undergo independent audits of cyber resilience
7 April 2022

New ‘Gov Assure’ process aims to provide a government-wide overview of risk, minister tells PublicTechnology Cyber Security Summit

‘Get things right at the start’ – new playbook sets out rules to be applied to all government digital projects
28 March 2022

Document covers issues such as assessments of suppliers and delivery models, and upfront consideration of potential issues with legacy IT

HMRC kick-starts project to create £180m digital one-stop-shop for UK traders
17 May 2022

Digital supplier sought to support work over the coming year

Ransomware: Cabinet minister sounds alarm over ‘greatest cyberthreat to the UK’
16 May 2022

Steve Barclay urges greater reporting of attacks