Third Party Suppliers & Live Hacking Challenge Added to Ongoing Vulnerability Disclosure Program
8 February, LONDON - The UK’s Ministry of Defence (MOD) has announced a significant expansion of its defensive security initiative with HackerOne, the global leader in human-powered security. The original scope of the three-year-old program included vulnerability disclosure and bug bounty programs that leveraged the creativity and expertise of ethical hackers to secure the MOD’s digital assets.
The MOD’s program was originally launched in 2021. In this time the MOD has worked alongside and built strong relationships with over 100 researchers drawn from the ethical hacking community. The ethical hackers have, in turn, identified and helped fix vulnerabilities in the MOD’s computer systems, further enhancing the security of its systems and cementing the MOD’s position as a cybersecurity leader.
“The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organization-wide commitment to building a culture of transparency and collaboration to improve national security,” said Paul Joyce, Vulnerability Research Project Manager, U.K. Ministry of Defence. “Our hacker partners are helping us to identify areas where we need to strengthen our defences and protect our critical digital assets from malicious threats.”
On the back of the successful initial program, the MOD has now broadened the scope of the vulnerability disclosure program (VDP) to include a number of its key suppliers. The objective is to encourage best practices throughout the MOD’s supply chain and ultimately motivate them to implement their own VDP. The long-term goal is for all firms that partner with the MOD to run their own VDP.
“Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets.” Said Christine Maxwell, CISO, U.K. Ministry of Defence. “Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience”
Cloud software-as-a-service collaboration platform provider, Kahootz, is an initial adopter of MOD’s supplier VDP program. Kahootz provides the secure cloud collaboration service MOD uses to work collaboratively and share information protectively.
“Kahootz’s VDP demonstrates our proactive commitment to promptly identifying and addressing potential security weaknesses to maintain the highest security standards for users,” said Peter Jackson, CTO of Kahootz. “The VDP has enabled us to identify and address vulnerabilities before they can be exploited maliciously. Our collaboration with the UK Ministry of Defence (MOD) and HackerOne has facilitated knowledge sharing and best practices in cybersecurity, contributing to continuous improvement and increased confidence from our clients. We have developed a collaborative approach with the hackers on our program that accelerates fixes, fosters trust, and enhances security. Kahootz remains committed to strengthening our platform's security through transparency and ongoing engagement with the security community.”
The expanded scope of the program also included a first-of-type in-person bug bounty challenge at the MOD’s Defence Academy. The Academy provides advanced education and training to military personnel, civil servants, and individuals from various international partners. Fifteen carefully selected professionals, all of whom are top-performing hackers, participated in the challenge to assess and enhance the Defence Academy’s security posture. The hackers concentrated on breaking down barriers, challenging norms, and demonstrating their skills and lateral thinking against a wide attack surface of both internet and non-internet-facing systems. Along with uncovering and advising on the remediation of vulnerabilities, the event also provided a great deal of assurance on existing security measures through the use of storyboard reports that detailed the approaches and vectors the hackers tried, which were ultimately unsuccessful due to the defensive measures in place.
"The MOD's work with the ethical hacking community provides benefits beyond the remediation of vulnerabilities and the improvement of security postures.” Said Jason Gnaneswaran, Cyber Resilience Programme Manager, U.K. Ministry of Defence. “It enables the MOD to explore new security approaches, engage with different perspectives to enhance resilience, and has helped change the culture within the MOD around cybersecurity."
“The U.K. MOD is a trailblazer in cybersecurity practices,” said Marten Mickos, CEO of HackerOne. “The MOD has enlisted the help of the most formidable defenders - ethical hackers - to solve security problems and outsmart threat actors. From the vulnerability disclosure program to the live bug bounty challenge, hackers have helped the MOD find and fix vulnerabilities before adversaries can detect and exploit them.”
“Testing on the MOD is a fascinating challenge, and you never get bored,” said a hacker involved in the program. “The MOD is forward-thinking in its approach to cybersecurity, and being able to spend time with the team at the Defence Academy was a unique opportunity to learn more about how the MOD secures its systems. I know that when I find a bug in a government program, I am directly impacting citizens, making their digital life a little bit safer, and that feels good.”
HackerOne is the global leader in human-powered security. We leverage human ingenuity to pinpoint the most critical security flaws across your attack surface to outmatch cybercriminals. HackerOne’s Attack Resistance Platform combines the most creative human intelligence with the latest artificial intelligence to reduce threat exposure at all stages of the software development lifecycle. From meeting compliance requirements with pentesting to finding novel and elusive vulnerabilities through bug bounty, HackerOne’s elite community of ethical hackers helps organizations transform their businesses with confidence. HackerOne has helped find and fix more vulnerabilities than any other vendor for brands including Coinbase, General Motors, GitHub, Goldman Sachs, Hyatt, PayPal, and the U.S Department of Defense. In 2023, HackerOne was named a Best Workplace for Innovators by Fast Company.