Security

UK Ministry of Defence: We won't prosecute bug bounty hunters – oh btw, we now have one of those

'Better late than never' opines industry bod


The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script.

The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

New guidance published on the GOV.UK pages for the MoD exhorts bug-hunters to submit only "benign, non-destructive, proof of concepts".

"The MOD affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on a MOD service or system, where the researcher has acted in good faith and in accordance with this disclosure policy," it stated.

Lest anyone gets the idea that running Nessus across MoD websites is going to lead to a bumper payday, the guidance also says that reporting folk should not "use high-intensity invasive or destructive scanning tools to find vulnerabilities." Phishing MoD staff is also out of bounds.

Oddly enough, the ministry is explicitly uninterested in hearing about "TLS configuration weaknesses", including the "presence of TLS1.0 support" or "weak cipher suite support". Microsoft, among many others, recommends killing off TLS1.0 in favour of version 1.2, though the MoD runs a large number of legacy systems only capable of using legacy protocols.

The MoD is rather far behind its governmental peers, with France having devised a similar scheme called YesWeHack last year. Singapore and America's defence ministries, meanwhile, have been running bug bounties for years.

Jake Moore of infosec biz Eset mused to El Reg: "Bug bounties are an essential way of testing security and can save organisations a huge financial strain in the long run. Having an internal department constantly test the security of an organisation is of course a necessity but bounties allow it so the whole technology community can effectively become your distributed dedicated full time CISO, offering better protection."

"To my surprise," he continued, echoing El Reg's feelings, "I previously would have assumed the MOD would already have had a vulnerability disclosure policy in place as such schemes are vital in modern day threat hunting. However, better late than never, even if it does mean they had to swallow their pride and offer it out."

Neither Microsoft nor HackerOne responded to The Register's invitations to comment. Hopefully they'll be a bit more forthcoming when actual white hats start tinkering and testing. ®

Send us news
19 Comments

Legacy tech shoots down Ministry of Defence's supply chain improvements

How to manage 740 million items of behalf of the Armed Forces?

UK will be HQ for high-flying next-gen fighter jet treaty with Italy, Japan

Global Combat Air Program aims to replace Eurofighter Typhoon and Mitsubishi F-2

Britain's Ministry of Defence fined £350K over Afghan interpreter BCC email blunder

UK GDPR penalty slashed from £1M after department agrees to improve processes

UK MoD braves the weather to train maritime AI capabilities

We will scan them on the beaches

Bug bounty hunters load up to stalk AI and fancy bagging big bucks

Google offers AI-specific rewards, HackerOne sees more specializations

UK procurement is too glacial to bring AI into defense, MPs told

Projects take so long that tech is out of date before it enters service, industry says

Grant Shapps named UK defense supremo in latest 'tech-savvy' Tory tale

He praised Apple for its 'open source' tech – now he'll oversee AI use to defend Britain from its foes

UK launches SKYNET – not a doomsday plot, just shopping for improved satellite comms

They really need to start branding these things better

Defense boffins take notes from sci-fi writers on the future of warfare

Neat! Everything's gonna be just like Call of Duty!

Pentagon: We'll pay you if you can find a way to hack us

DoD puts money behind bug bounty program after reward-free pilot

UK's Ministry of Defence awards Boxxe multimillion Microsoft license deal

Contract seeks 'support with the renewal and running of Microsoft Enterprise Agreement'

British Army Twitter and YouTube feeds hijacked by crypto-promos

If you can't defend against crypto bros…