MoD offers first-ever bug bounty to find vulnerabilities in defence systems

Written by Sam Trendall on 4 August 2021 in News

Department runs 30-day exercise in partnership with ethical hackers

Credit: Archives New Zealand/CC BY 2.0

The Ministry of Defence has run its first-ever bug bounty exercise, in which hackers were offered potential rewards for finding security vulnerabilities in IT systems.

The department worked with US-based company HackerOne, which operates a platform allowing organisations to post bug bounties and engage with cybersecurity experts, such as hacking specialists and penetration testers. A 30-day exercise saw 26 hackers work with the MoD to identify potential cyber vulnerabilities across defence infrastructure networks and an estate of 750,000 end-user devices.

In recent years, bug bounties have become increasingly widely used among businesses and government bodies. Most big tech firms – including Google, Microsoft, and Facebook – run bug-bounty programmes, and the European Commission and the US National Security Agency have also operated reward schemes.

The MoD’s adoption of the concept comes in light of the government’s Integrated Review of defence and foreign policy, published earlier this year, which the ministry said “committed to a more robust position on security and resilience”.

Related content

“This challenge is part of wider plans to ensure transparency and collaborate with partners to improve national security,” it added. “MoD will continue to make use of the bug bounty expertise, in addition to other capabilities available to ensure cybersecurity and resilience.”

The ministry said that hackers taking part in the initiative had “praised defence for its openness and willingness to embrace new tools and capabilities”.

Armed forces minister James Heappey described the use of bug bounties as “an exciting new capability for the Ministry of Defence”.

HackerOne chief executive Mårten Mickos said that the ministry was just the latest among many “governments worldwide [that] are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore”.

“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year,” he added. “The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

App-based freedoms and the relentless battle for cybersecurity
3 September 2021

As our movements increasingly depend on using our smartphones to demonstrate status, we need to ensure technology is secure, according to Dr Sarah Morris, of Cranfield University.

NCSC warns organisations: ‘You cannot perform all functions securely with just BYOD’
11 October 2021

National cyber body updates guidance on use of employee-owned technology – a practice which proliferated during the pandemic

Government plans imminent legislation for digital visas
22 October 2021

Legal provisions for new system of electronic travel authorisations will soon be tabled in parliament 

The business case for IT upgrades and a surfeit of sign-ins – five things we learned about the future of digital government
13 October 2021

At techUK’s recent annual public sector tech conference, government’s digital leaders discussed their plans for the months ahead and the challenges they currently face. PublicTechnology...