The Ministry of Defence (MoD) has expanded its programme with ethical hacker organisation HackerOne.
They have broadened the scope of their vulnerability disclosure programme (VDP) to include a number of the MoD’s key suppliers, with the aim of encouraging best practice in cyber security throughout its supply chain.
Ultimately, it wants all companies the partner with it to run their own VDPs.
Kahootz, which provides a cloud collaboration platform used by the MoD, is among the initial adopters of the VDP programme.
The programme with HackerOne was launched in 2021 and has involved the ministry working with over 100 researchers from the ethical hacking community. It said they have since identified and helped to fix vulnerabilities in its computer systems.
The two parties have recently agreed on a new £2.5 million, 18-month contract to continue the programme.
Paul Joyce, vulnerability research project manager at the MoD, said: “The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organisation-wide commitment to building a culture of transparency and collaboration to improve national security.
“Our hacker partners are helping us to identify areas where we need to strengthen our defences and protect our critical digital assets from malicious threats.”
Diverse perspectives
Christine Maxwell, chief information security officer at the ministry, added: “Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets.
“Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”
As part of the expansion, a bug bounty challenge has already been staged at the MoD’s Defence Academy. It involved 15 hackers demonstrating their skills and lateral thinking against a wide attack surface of internet and non-internet facing systems.
HackerOne said event uncovered some vulnerabilities and provided assurance on existing security measures through the use of storyboard reports on the approaches and vectors tried by the attackers. All of the attacks were unsuccessful due to the defensive measures in place.