Credit: Archives New Zealand/CC BY 2.0

The Ministry of Defence has run its first-ever bug bounty exercise, in which hackers were offered potential rewards for finding security vulnerabilities in IT systems.

The department worked with US-based company HackerOne, which operates a platform allowing organisations to post bug bounties and engage with cybersecurity experts, such as hacking specialists and penetration testers. A 30-day exercise saw 26 hackers work with the MoD to identify potential cyber vulnerabilities across defence infrastructure networks and an estate of 750,000 end-user devices.

In recent years, bug bounties have become increasingly widely used among businesses and government bodies. Most big tech firms – including Google, Microsoft, and Facebook – run bug-bounty programmes, and the European Commission and the US National Security Agency have also operated reward schemes.

The MoD’s adoption of the concept comes in light of the government’s Integrated Review of defence and foreign policy, published earlier this year, which the ministry said “committed to a more robust position on security and resilience”.

Related content

• Council data breaches saw 12% spike in FY21
• ‘Cyberattackers are doing the same things over and over – and too often getting through’
• How secure is government and should we have a right to know?

“This challenge is part of wider plans to ensure transparency and collaborate with partners to improve national security,” it added. “MoD will continue to make use of the bug bounty expertise, in addition to other capabilities available to ensure cybersecurity and resilience.”

The ministry said that hackers taking part in the initiative had “praised defence for its openness and willingness to embrace new tools and capabilities”.

Armed forces minister James Heappey described the use of bug bounties as “an exciting new capability for the Ministry of Defence”.

HackerOne chief executive Mårten Mickos said that the ministry was just the latest among many “governments worldwide [that] are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore”.

“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year,” he added. “The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”