UK Ministry of Defence: We won't prosecute bug bounty hunters – oh btw, we now have one of those

The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script.

The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's sprawling digital estate.

New guidance published on the GOV.UK pages for the MoD exhorts bug-hunters to submit only "benign, non-destructive, proof of concepts".

"The MOD affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on a MOD service or system, where the researcher has acted in good faith and in accordance with this disclosure policy," it stated.

Lest anyone gets the idea that running Nessus across MoD websites is going to lead to a bumper payday, the guidance also says that reporting folk should not "use high-intensity invasive or destructive scanning tools to find vulnerabilities." Phishing MoD staff is also out of bounds.

Oddly enough, the ministry is explicitly uninterested in hearing about "TLS configuration weaknesses", including the "presence of TLS1.0 support" or "weak cipher suite support". Microsoft, among many others, recommends killing off TLS1.0 in favour of version 1.2, though the MoD runs a large number of legacy systems only capable of using legacy protocols.

The MoD is rather far behind its governmental peers, with France having devised a similar scheme called YesWeHack last year. Singapore and America's defence ministries, meanwhile, have been running bug bounties for years.

Jake Moore of infosec biz Eset mused to El Reg: "Bug bounties are an essential way of testing security and can save organisations a huge financial strain in the long run. Having an internal department constantly test the security of an organisation is of course a necessity but bounties allow it so the whole technology community can effectively become your distributed dedicated full time CISO, offering better protection."

"To my surprise," he continued, echoing El Reg's feelings, "I previously would have assumed the MOD would already have had a vulnerability disclosure policy in place as such schemes are vital in modern day threat hunting. However, better late than never, even if it does mean they had to swallow their pride and offer it out."

Neither Microsoft nor HackerOne responded to The Register's invitations to comment. Hopefully they'll be a bit more forthcoming when actual white hats start tinkering and testing. ®