MoD ethical hacking programme expands after initial success

The Ministry of Defence (MoD) has revealed it has expanded an existing defensive security initiative with ethical hacking and penetration testing specialist HackerOne to include some of its key suppliers.

The original scope of the MoD’s defensive security programme included a vulnerability disclosure programme (VDP) paying out bug bounties through HackerOne, leveraging the creativity and expertise of the hacking community to help secure some of the UK government’s most critical digital assets.

Since its launch in 2021, more than 100 ethical hackers have been busy “attacking” the MoD’s systems, identifying and fixing vulnerabilities to enhance its cyber security posture.

“The decision to partner with HackerOne and leverage its community of ethical hackers was part of an organisation-wide commitment to building a culture of transparency and collaboration to improve national security,” said Paul Joyce, vulnerability research project manager for the MoD. “Our hacker partners are helping us to identify areas where we need to strengthen our defences and protect our critical digital assets from malicious threats.”

MoD CISO Christine Maxwell added: “Working with the ethical hacking community allows us to bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk and improving resilience.”

The MoD hopes that by including key suppliers within the VDP, it can help encourage a trickle-down of best practices through its supply chain, and maybe implement their own programmes. It said its long-term goal was for all firms that it partners with to run their own VDPs.

Among the suppliers that has already been involved with the expanded programme is Kahootz, which supplies cloud software-as-a-service collaboration platform services to public and third sector organisations.

“Kahootz’s VDP demonstrates our proactive commitment to promptly identifying and addressing potential security weaknesses to maintain the highest security standards for users,” said Peter Jackson, the organisation’s…