The Ministry of Defence has paid out the first bug bounties to ethical computer hackers who probed its websites for vulnerabilities, according to a cheery missive from HackerOne.
A month-long “hacker security test” culminated in a couple of dozen folk being handed unspecified rewards – and marking the first public confirmation of HackerOne’s UK government partnership.
One of those infosec pros, Trevor Shingles (@sowhatsec on Twitter), said in a canned statement: “I successfully reported an OAuth misconfiguration, which would have allowed me to modify permissions and gain access, but instead was able to help the MoD fix and secure.”
The MoD scheme’s groundworks were laid back in December when the ministry promised not to arrest bounty-hunting experts, as we reported. The bounds were also clearly set back then: web-facing systems only, no automated mass-scanning, no phishing and no reporting of active support for the hoary old TLS1.0 cipher suite. Rather than probing operational systems, the scheme’s parameters appear to have been limited to public-facing websites – potentially ones offering deeper access, but public-facing-only nonetheless.
It also said that demanding cash in return for revealing vulns was a no-no. Perhaps this line was inspired by the tale of Vasily Kravets, who in 2019 found two zero-days in Valve’s Steam gaming client that he submitted through HackerOne – only for Valve to reject his submission and ban him from the scheme after misunderstanding its own rules, prompting the frustrated infosec specialist to drop the 0-days in public as a means of getting Valve to take them seriously and fix them.
HackerOne’s concept of operations is to crowdsource penetration testing, with (so it says) a side benefit being that independent security researchers who might be tempted to sell vulnerabilities onwards instead report them to system owners. Setting up a HackerOne bug bounty scheme involves paying successful reporters; a compsci student bagged £36,000 in July after spotting an access token on GitHub that gave the world and his dog read and write access to private Shopify repositories.
A clearly well-briefed Shingles gurgled: “For the MoD to be as open as it has with providing authorised access to their systems is a real testament that they are embracing all the tools at their disposal to really harden and secure their applications.”
No information was given on how much the famously cash-strapped MoD coughed up for the vulns its vetted researchers found. Research from 2019 using public data from HackerOne found that average earnings for the top 1 per cent of reporters on the site yielded them around £26,500 a year. As we reported at the time, “newbies make considerably less.”
Marten Mickos, HackerOne’s chief exec, gave the ministry a pat on the back for its “forward-thinking and collaborative solutions to securing its digital assets,” pointing to the US government’s adoption of his company’s service a few years ago.
Mickos was echoed by MoD CISO Christine Maxwell, who chipped in to say: “The MoD has embraced a strategy of securing by design, with transparency being integral for identifying areas for improvement in the development process.”
Some readers might be wondering whether the MoD ran this as an exercise in tempting people to join the National Cyber Force. There’s nothing in public suggesting that was the case, though it wouldn’t be the MoD if somebody hadn’t said something along the lines of “by the way, have you thought about…” ®