back to article UK Ministry of Defence: We won't prosecute bug bounty hunters – oh btw, we now have one of those

The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script. The MoD has joined forces with bug bounty platform HackerOne, with the scheme seemingly being aimed at those who probe external web-facing parts of the ministry's …

  1. Zippy´s Sausage Factory
    Meh

    This sounds quite restrictive in what they claim they won't prosecute. If I were a security researcher (and I'm most definitely not), I'd be taking this with a pinch of salt. I can't help wondering if the "promise not to prosecute" was made with one hand behind the back, with the fingers crossed.

    The fact they say they're particularly interested in stuff like TLS 1.0 support makes me wonder if they've cut their internal budget for security auditing and they're hoping to crowd source it?

    1. Mike 137 Silver badge

      "stuff like TLS 1.0 support"

      Sounds like they outsource their web development, and, like everyone else, they don't verify the results. They're not alone. I still can't get my head round the fact that the NCSC web site (representing the official national authority on cyber security) is entirely a javascript app, despite javascript being the primary vector for the majority of browser mediated attacks. I contacted the NCSC about this and was told "we probably can't do anything about it", which suggests that even they outsource their web development and don't check the results.

      The fundamental problem is one of inadequate risk management at the conceptual level. Most methodologies recommend identification of "your most significant assets". However the breach typically occurs via a not so significant asset that hasn't been properly secured because it was deemed a "low risk". Equifax, BA, DigiNotar, the CIA to name just a few.

      1. Strahd Ivarius Bronze badge

        Re: "stuff like TLS 1.0 support"

        If I am not mistaken, they said that they are NOT interested in hearing about TLS 1.0 vulnerabilities.

        Anyway in a few weeks only Internet Explorer will be able to access these web sites, so no problem in sight...

  2. Pascal Monett Silver badge

    Well yeah

    "the whole technology community can effectively become your distributed dedicated full time CISO "

    Absolutely. It's just like Microsoft making its dedicated customers its beta testers. You're sure to get results before the miscreants teach you an expensive lesson.

    If you are too "proud" to use this as a tool, you have no business dealing with the Internet as a company. Unless, of course, you are a small company using widely-available tools and not doing anything more on the Web than hosting a basic commercial site or a personal site with next to zero functionality.

  3. Dabooka Silver badge

    Seems a bit... pointless?

    No invasive techniques, no phishing, no tools of intensity...

    What are they actually after then?

    1. Lotaresco Silver badge

      Re: Seems a bit... pointless?

      What are they actually after then?

      An anodyne report they can stick in front of a minister and say "Look, we are testing our systems and they are all good." <tick> "Annual bonus, please. Oh and my friend will have an MBE."

    2. Chris G Silver badge

      Re: Seems a bit... pointless?

      "What are they actually after then?"

      Perhaps what they are doing is compiling a list of people who have abilities that can get them added to a list.

      One would think that intensive efforts to penetrate military security by friendly actors would be helpful in mitigating intensive efforts by those who are less than friendly.

      1. amanfromMars 1 Silver badge

        Re: Seems a bit... pointless?

        Perhaps what they are doing is compiling a list of people who have abilities that can get them added to a list.

        One would think that intensive efforts to penetrate military security by friendly actors would be helpful in mitigating intensive efforts by those who are less than friendly. ..... Chris G

        Not that is real smart, Chris G. To find out it is considered and recognised and accepted already as a successful program in progress on ACTive AIMissions would be a Great Game Changer too ..... opening up as it does a vast new theatre for leading Paramilitarised Operations for Virtual Engagement ....... which is somewhat akin to Alien Contact given the nature of IT Leading AIMissions.

        And something of an almighty coup for UKMod, with feathers in caps for all those responsible and accountable when true . They would certainly surely be worthy of such a just reward. Not everyone is able to make such quantum leap jumps into much greater intelligence fields which lead with attractive plays ...... captivating scenarios ....... heavenly opportunities with hellishly awesome perks.

        As you can imagine, customers just love to get samples of those.

      2. Christoph

        Re: Seems a bit... pointless?

        That was my thought as well. GCHQ get a nice list of anyone who is good at net penetration. Some they keep an eye on, some they recruit (possibly giving them a choice on whether they want to be recruited).

        1. amanfromMars 1 Silver badge

          Re: Seems a bit... pointless?

          That was my thought as well. GCHQ get a nice list of anyone who is good at net penetration. Some they keep an eye on, some they recruit (possibly giving them a choice on whether they want to be recruited). ...... Christoph

          The bods/bots you have to look out for, for doing something special with someone somewhere surreal and failsafe secure, with skillsets that can be exported and shared/extorted and exploited anywhere with anyone in particular need of some very peculiar and extremely lucrative services, are those that would/could easily recruit the likes of a GCHQ into their almighty commanding control orbits and areas of outstanding supernatural beauty and virtual expertise.

          They be real handy to have in one's teams and on one's side though, for they be no body's fool tool ...... with that alone probably making them somewhat different and surprisingly unique presenting as such does the endless possibilities opened up with novel opportunities to explore with exciting leading engagement.

          Of course, that all depends upon the likes of a GCHQ recognising and being ready, willing and enabled and up for for any of that, and that lack of non dependence and independence is the sort of intelligence deficit and systemic weakness which will defeat them every time they encounter such customers/consumers/clients/adversaries in those tempestuously contested, highly prized and extremely rewarding fields. If hearts and minds are not fully engaged, abject failure is 100% guaranteed, which one has to admit is a one hell of a secure prime driver safeguarding programs and future missions..... Advanced IntelAIgent Projects and Virtual SkunkworXSS for Virgin Soldiering and AIMaster Pilot Path Findering ..... Immaculate Trail Blazing.

  4. Anonymous Coward
    Anonymous Coward

    " reporting folk should not.....

    ...'use high-intensity invasive or destructive scanning tools to find vulnerabilities.' Phishing MoD staff is also out of bounds...."

    Well, 32-33% of breaches involved the use of phishing and social engineering. [source - Verizon, late Oct 2020]

    Also, invasive / destructive tools are readily available and often successfully used.

    This statement seems to be equivalent to saying "Hey! come round and test my new home security system, but you're not allowed to kick the broken door down".

    1. Peter2 Silver badge

      Re: " reporting folk should not.....

      Or alternately they don't want every tom dick and harry in the country hacking in, getting caught and then claiming "The MOD said we could" when they get prosecuted.

      Similar to how the MOD are generally happy with people pointing out holes in their physical security arrangements, but wouldn't happily accept people cutting through a guarded razor wire fence and saying "oh, I was just doing penetration testing" when they get caught.

  5. amanfromMars 1 Silver badge

    The Money Shot Question

    The UK's Ministry of Defence has launched a bug bounty scheme, promising privateer pentesters they won't be prosecuted if they stick to the published script.

    Which scripts from whom would be a helpful direction/relevant revelation ?

    1. Anonymous Coward
      Anonymous Coward

      Re: The Money Shot Question

      Where can I find the scripts?

      (asking for a script kiddie)

      1. amanfromMars 1 Silver badge

        Re: Money Shot Questions that are Strictly Need to Know

        Where can I find the scripts? ..... Anonymous Coward

        No need to worry about that, AC, they find you. Simple ESPecial Delivery/Secret IntelAIgent Service.

  6. Claptrap314 Silver badge

    Hackathon?

    This is a straight-up "we want you to check our TLS certs for us because we're lazy & dumb".

    Just contact a reputable pen-testing company and pay them for their basic service.

    1. Sanctimonious Prick
      Mushroom

      Re: Hackathon?

      You mean, like, FireEye?

      hahahhahahahahapmslhahahahahaha

  7. amanfromMars 1 Silver badge

    Seek and Ye Shall Find ......... Some Questions May Never Ever Be Answered Online.

    The MoD is rather far behind its governmental peers,...

    Now that, ladies and gentlemen, boys and girls of the military family establishment, is a colossal vulnerability being actively avidly astutely exploited and a vital live government bug essential for private civil service administering of public contracts and disbursement of sterling exchequer funds in pirate operations to agents of foreign powers.

    The sum of its parts are considered worthy of HackerOne Proof of Concept submission, and filing away as a filling fulfilling all of the criteria in its initial official form ....

    Title*

    A clear and concise title includes the type of vulnerability and the impacted asset.

    The next two following questions on that page ....

    Description*

    What is the vulnerability? In clear steps, how do you reproduce it?

    .... has the first question already well answered in the Title* filing, whilst the second is best considered and accepted as always to remain extremely problematical for some more than worthy, and who may be more than just a chosen few amongst many, and Strictly NOFORN Need to Know MkUltra COSMIC TS/SCI .......

    Well, just ask yourself ....... Is it wise? Would you do it? Spill the beans on a vulnerability that grants one ready easy access to abuse and misuse stashes of wealth and crown jewels squirrelled away anywhere? That would surely be mad and insane? A double whammy of misfortune. 'Tis surely always best to NOT so readily share how one can reproduce it, given the hell it unleashes and the problems it delivers to so engagingly exhaust earthed resources?

    What say y'all here?

    1. Cliff Thorburn

      Re: Seek and Ye Shall Find ......... Some Questions May Never Ever Be Answered Online.

      and who may be more than just a chosen few amongst many, and Strictly NOFORN Need to Know MkUltra COSMIC TS/SCI .......

      The same chosen few who know that Brexit stumbling blocks over fishing relates in no actual way to aquatic marine life, and more akin to pirate digital bounties on the digital domain ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021