Security

UK Ministry of Defence: We won't prosecute bug bounty hunters – oh btw, we now have one of those

'Better late than never' opines industry bod


The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script.

The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

New guidance published on the GOV.UK pages for the MoD exhorts bug-hunters to submit only "benign, non-destructive, proof of concepts".

"The MOD affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on a MOD service or system, where the researcher has acted in good faith and in accordance with this disclosure policy," it stated.

Lest anyone gets the idea that running Nessus across MoD websites is going to lead to a bumper payday, the guidance also says that reporting folk should not "use high-intensity invasive or destructive scanning tools to find vulnerabilities." Phishing MoD staff is also out of bounds.

Oddly enough, the ministry is explicitly uninterested in hearing about "TLS configuration weaknesses", including the "presence of TLS1.0 support" or "weak cipher suite support". Microsoft, among many others, recommends killing off TLS1.0 in favour of version 1.2, though the MoD runs a large number of legacy systems only capable of using legacy protocols.

The MoD is rather far behind its governmental peers, with France having devised a similar scheme called YesWeHack last year. Singapore and America's defence ministries, meanwhile, have been running bug bounties for years.

Jake Moore of infosec biz Eset mused to El Reg: "Bug bounties are an essential way of testing security and can save organisations a huge financial strain in the long run. Having an internal department constantly test the security of an organisation is of course a necessity but bounties allow it so the whole technology community can effectively become your distributed dedicated full time CISO, offering better protection."

"To my surprise," he continued, echoing El Reg's feelings, "I previously would have assumed the MOD would already have had a vulnerability disclosure policy in place as such schemes are vital in modern day threat hunting. However, better late than never, even if it does mean they had to swallow their pride and offer it out."

Neither Microsoft nor HackerOne responded to The Register's invitations to comment. Hopefully they'll be a bit more forthcoming when actual white hats start tinkering and testing. ®

Send us news
19 Comments

Student crashes Cloudflare beta party, redirects email, bags a bug bounty

Simple to exploit, enough to pocket $3,000

UK's Ministry of Defence awards Boxxe multimillion Microsoft license deal

Contract seeks 'support with the renewal and running of Microsoft Enterprise Agreement'

North Koreans spotted harassing SMBs with malware

Also: Lawyers told to dissuade clients from paying off ransomware crooks, and more

Pentagon: We'll pay you if you can find a way to hack us

DoD puts money behind bug bounty program after reward-free pilot

British Army Twitter and YouTube feeds hijacked by crypto-promos

If you can't defend against crypto bros…

UK Ministry of Defence takes recruitment system offline, confirms data leak

Info of those signing up to be soldiers leaked, as sources finger Capita-run system

UK's Ministry of Defence coughs up bug bounties for crowdsourced pentesting

Small steps could lead to bigger strides

Wifinity hands customers bills for Wi-Fi services they didn't want but used by accident after software 'glitch' let 'fixed term' subs continue

Firm admits problem and then tries to cash in from own screwup

RAF shoots down 'terrorist drone' over US-owned special ops base in Syria

£200k Anglo-French heat-seeking missile does its thing

UK's £5bn National Cyber Force HQ to be sited in Lancashire beside Defence Secretary's constituency

How convenient for influx of potential new voters

UK MoD data strategy calls for social media surveillance on behalf of 'local authorities'

From a document supposedly about better use of existing silos. Eh?

Computer and data scientists should be as highly regarded as 'warriors' says top UK cybergeneral

Translation: Skills shortage here!