The Ministry of Defence (MoD) has introduced its own bug bounty programme through which white hat hackers can disclose vulnerabilities to the UK government department without fear of prosecution.
Partnering up with HackerOne, the MoD has published a submission form that security researchers can use to report any bugs or flaws with systems or platforms managed by the UK’s defence authorities. Unlike bug bounty programmes commonly run by private companies, however, there is no monetary reward available for disclosure.
Researchers who find a security vulnerability relating to an MoD system must include details of the website IP or page where the vulnerability can be observed, a brief description of its nature, and steps to reproduce. These should be a benign and non-destructive proof-of-concept and works to ensure the report can be triaged quickly and with accuracy.
The top 12 password-cracking techniques used by hackers UK gov finally unveils its new National Cyber Force DWP exposed 6,000 people’s data online for two years
“If you believe you have found a vulnerability on any MOD system, you can report using the Hacker One: submit a vulnerability report,” the MoD said. “We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy, and act in compliance with it.
“This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the MOD or partner organisations to be in breach of any legal obligations.”
After you submit a report, the MoD will respond within five working days and will aim to triage the report within ten working days. A representative will keep you informed on its progress throughout the process via HackerOne if you’ve registered for an account.
After the ten-day process has elapsed, the priority for remediation will be assessed based on the impact, severity and exploit complexity. Some flaws may take time to address if they are not deemed a priority, and researchers are welcome to enquire on the status of their reports. However, the MoD stressed they should only check in once every fortnight at a maximum.
The MoD will then report back when the vulnerability is fixed, with researchers invited to confirm the solution fixes the problem adequate. Future public disclosure arrangements will then be subject to co-ordination between researchers and the MoD.
Researchers seeking to report a vulnerability must abide by a set of strict protocols, however. They must not, for example, break any law, access unnecessary of significant amounts of data, modify data in MoD systems, disrupt any systems, use high-intensity invasive of destructive scanning tool, or attempt any form of denial of service.
Also out of bounds is social engineering or phishing exercises, demanding financial compensation to disclose vulnerabilities, submitting reports detailing non-exploitable flaws, or submitting reports detailing TLS configuration weaknesses.
The MoD claims its policy is compatible with common industry-wide vulnerability disclosure practices, and that it does not give white hat hackers or security researchers permission to act in any way that’s inconsistent with the law.
The government department will not, however, seek prosecution of any researcher who reports vulnerabilities on MoD services or systems where they’ve acted in good faith and in accordance with the disclosure policy.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
