The Ministry of Defence – which first used such reward programmes to find weaknesses in 2021 – is set to ramp up its engagement with ethical hackers, to help protect its networks

The Ministry of Defence is set to expand its work with ethical hackers via a multimillion-pound agreement to help the department run bug-bounty initiatives and other exercises intended to root out vulnerabilities in its network.

On 31 October, the ministry signed an 18-month deal with HackerOne – a Silicon Valley company that operates a platform enabling organisations to connect with ethical hackers, and run programmes through which external experts can help uncover potential cyber weaknesses. This includes bug bounty schemes which offer a financial incentive for those discovering and reporting a vulnerability – which can then be addressed before being targeted by attackers.

News of the deal comes as ministerial disclosures reveal that the MoD has 11 red-rated systems ranked at a “critical level of risk” on the legacy IT assessment framework created by government’s Central Digital and Data Office. This figure is higher than any other department that has released data.

The MoD first offered bug bounties – via an engagement with HackerOne – in 2021, which then armed forces minister James Heappey described as described the use of bug bounties as “an exciting new capability” for the UK defence sector.

The ministry’s use of such reward exercises seems set to ramp up via the new agreement with the specialist company, through which £2.5m will be spent.

Related content

• Cabinet Office to ‘fill gaps’ in vulnerability scanning of technology
• Cabinet Office schemes target areas of ‘greatest exposure to legacy technology’
• Funding scheme aims to address military vulnerability to cyberattack

A newly published procurement notice reveals that the deal will encompass various initiatives to help the MoD identify potential attack targets in an IT infrastructure that is among the UK’s most significant and sensitive.

“The MoD’s computer networks and systems support the nation’s defence and are crucial both for daily business operations and mission-critical activities,” the notice said. ”Maintaining the security and integrity of the MoD’s networks and systems is a matter of national security and requires the continuous identification and remediation of vulnerabilities that can be exploited by malicious cyber actors.  To reduce the cyber risk, the MoD has been working with the ethical hacking community to find vulnerabilities in the MoD’s systems. This is being done in the forms of a vulnerability rewards programme, bug bounty challenges, an in-person bug bounty and a supply chain vulnerability disclosure programme.”

Having offered its first bug bounty little more than two years ago, the ministry was a comparative latecomer to the concept. Its US counterpart first began working with HackerOne – via a programme called Hack the Pentagon – in 2016.

The US intelligence services are also long-standing users of such ethical hacking programmes, as are a range of the world’s biggest tech firms.