MoD offers first-ever bug bounty to find vulnerabilities in defence systems

Written by Sam Trendall on 4 August 2021 in News

Department runs 30-day exercise in partnership with ethical hackers

Credit: Archives New Zealand/CC BY 2.0

The Ministry of Defence has run its first-ever bug bounty exercise, in which hackers were offered potential rewards for finding security vulnerabilities in IT systems.

The department worked with US-based company HackerOne, which operates a platform allowing organisations to post bug bounties and engage with cybersecurity experts, such as hacking specialists and penetration testers. A 30-day exercise saw 26 hackers work with the MoD to identify potential cyber vulnerabilities across defence infrastructure networks and an estate of 750,000 end-user devices.

In recent years, bug bounties have become increasingly widely used among businesses and government bodies. Most big tech firms – including Google, Microsoft, and Facebook – run bug-bounty programmes, and the European Commission and the US National Security Agency have also operated reward schemes.

The MoD’s adoption of the concept comes in light of the government’s Integrated Review of defence and foreign policy, published earlier this year, which the ministry said “committed to a more robust position on security and resilience”.

Related content

“This challenge is part of wider plans to ensure transparency and collaborate with partners to improve national security,” it added. “MoD will continue to make use of the bug bounty expertise, in addition to other capabilities available to ensure cybersecurity and resilience.”

The ministry said that hackers taking part in the initiative had “praised defence for its openness and willingness to embrace new tools and capabilities”.

Armed forces minister James Heappey described the use of bug bounties as “an exciting new capability for the Ministry of Defence”.

HackerOne chief executive Mårten Mickos said that the ministry was just the latest among many “governments worldwide [that] are waking up to the fact that they can’t secure their immense digital environments with traditional security tools anymore”.

“Having a formalised process to accept vulnerabilities from third parties is widely considered best practice globally, with the US government making it mandatory for their federal civilian agencies this year,” he added. “The UK MoD is leading the way in the UK government with forward-thinking and collaborative solutions to securing its digital assets and I predict we will see more government agencies follow its example.”


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

NCSC probes TikTok amid reports of imminent ban of government devices
16 March 2023

Security minister confirms intelligence agency is investigating the video app

Government report claims authorities’ bulk data collections are stymied by ‘disproportionate safeguards’
10 February 2023

Study assesses impact of Investigatory Powers Act during its first five years and suggests potential changes

Scottish parliamentarians ‘strongly advised’ to ditch TikTok
21 March 2023

MSPs are issued with advice following consultation with National Cyber Security Centre

What apps are on government’s approved list?
20 March 2023

Only centrally approved third-party applications will be allowed on Whitehall devices – but government remains tight-lipped on what might make the cut or how