Ministry of Defence PAYS hackers to search computer systems for vulnerabilities before they can be exploited by real cybercriminals
- MoD announces the conclusion of its first bug bounty challenge with HackerOne
- Bug bounties offer ethical hackers financial reward for reporting technical flaws
- Members of the public can earn thousands of pounds for reporting a single flaw
Hackers have been paid by the Ministry of Defence (MoD) to search their computer systems for vulnerabilities before they can be exploited by real criminals online.
The government department has successfully concluded its first bug bounty programme, conducted in partnership with US firm HackerOne.
The programme recruited 26 ‘ethical hackers’ who went under the bonnet of its networks for 30 days, in a bid to get ahead of ‘bad actors’ and improve national security.
California-based HackerOne acts as a middleman by connecting businesses with its community of ethical hackers who have been through criminal background checks.
Neither HackerOne nor the MoD would reveal how much each hacker is getting paid as part of the programme.
However, another organisation already partnered with HackerOne recently handed out $50,000 (more than £36,000) for discovering a severe vulnerability.
While this is an attractive sum, it’s a mere drop in the pond considering how much money a single flaw can cost businesses if it’s noticed by cyber criminals first.
Scroll down for video
Bug bounty programs offer ‘ethical hackers’ a financial reward in exchange for reporting technical flaws that could cost organisations millions
A bug bounty is a reward that is paid out to developers who find critical flaws in software.
The bounty can be monetary reward, or being put into a ‘hall of fame’ list for finding the bounty, or gear from the company giving the bounty, or any combination thereof.
With open-source software, anyone in the world is free to comb through the code of an application and look for flaws.
The average bounty paid for critical vulnerabilities is much also even lower – $3,650 (£2,600), according to HackerOne, while the average amount paid per vulnerability of any severity level is $979 (£700).
Christine Maxwell, the MoD’s chief information security officer, described the programme as an ‘essential step in reducing cyber risk and improving resilience’.
‘Working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets,’ she said.
‘It is important for us to continue to push the boundaries with our digital and cyber development to attract personnel with skills, energy and commitment.’
One of the 26 ethical hackers, Trevor Shingles, said he was able to alert the MoD to a flaw he uncovered which would have allowed a bad actor to modify permissions and gain access.
‘It’s been proven that a closed and secretive approach to security doesn’t work well,’ he said.
‘For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications.
‘This is a great example to set for not only the UK, but for other countries to benchmark their own security practices against.’
Bug bounty programs offer people a financial reward in exchange for reporting technical flaws.
It is a non-traditional approach for the MoD but common practice among the technology industry and has already been adopted by the US Department of Defence to great success.
Other massive companies who have worked with HackerOne’s ethical hackers include Facebook, Dropbox, AT&T, Starbucks, Shopify and Twitter.
HackerOne’s advertising encourages the public to ‘hack for good’ to help companies prevent cyber crime. Pictured, a HackerOne billboard in San Francisco
Last September, HackerOne released its annual report of bounty data from across the industry in the previous 12 months.
It revealed more than $44.75 million (£32.2 million) in bounties were awarded to hackers across the globe over the year prior – a year-over-year increase of 87 per cent in total bounties paid.
Nine individual hackers in seven countries have each earned $1 million (£720,000) in bounties on the HackerOne platform for their efforts, it also revealed.
MEMBER OF THE PUBLIC EARNED £36,000 FOR FINDING ONE FLAW
US e-commerce company Shopify handed out $50,000 (£36,150) to computer science student Augusto Zanellato through HackerOne’s programme, it was revealed in July 2021.
As reported by The Register, Zanellato, a ‘first timer’ who joined the programme at the start of 2021, discovered a publicly available access token, which would have let anyone access the company’s source code repositories.
When Zanellato disclosed the flaw to Shopify about six months ago, the firm revoked the access token within 24 hours and granted the vulnerability a severity score of 10 – the highest possible, the Register reported.
Zanellato told the tech news website: ‘It might surprise you, but in fact I never started hunting for bugs.
‘I have a technical background as a programmer (mainly game developing and backend, but I also have some frontend experience) with a focus on writing secure stuff instead of things that just work but with security holes as big as the Kimberley Mine.’
Zanellato’s profile page on HackerOne’s site confirms the hefty amount as a reward for the ‘critical’ flaw.
Those interested in being an ethical hacker can register on HackerOne’s sign-up page.