View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 21, 2018updated 28 Dec 2018 10:28pm

Hack the Gov’t and Tell the NCSC? You’ll Now Get a Pat on the Back

It's like a bug bounty programme – but without the bounty, yet.

By CBR Staff Writer

Security researchers who find vulnerabilities in UK government web services can now report them directly to the National Cyber Security Centre (NCSC), rather than wondering who to tell – and whether they’ll get prosecuted for doing so.

That’s according to “Ollie” the NCSC’s vulnerability disclosure lead, who announced a new vulnerability reporting service in a blog published on Thursday.

The service acknowledges the “crucial role security researchers play in helping to secure UK government web services”, he wrote.

“The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, so researchers can now report the vulnerability to us.”

NCSC vulnerability reporting

“Disclose vulnerabilities here” White hats will be relieved by the commitments and clear point of contact

NCSC Vulnerability Reporting: Pilot Bug Bounty Programme Also Live

Along with direct disclosure, it has also launched a pilot bug bounty programme through HackerOne, albeit sans bounty.

“We are keen to show our appreciation by issuing HackerOne reputation points to those that disclose”, the NCSC writes.

“Having a mature and co-ordinated vulnerability disclosure process helps decrease the risk of an incident occurring”, Ollie adds.

Content from our partners
Why email is still the number one threat vector
Why HR must take firm steps to become a more data-driven function
Why enterprises of all sizes must  embrace smart manufacturing solutions

The pilot’s aim is to identify the best way to help fellow government organisations establish a vulnerability disclosure process. HackerOne has been selected as the bug bount platform provider and NCC Group as the assessment partner.

Vunerability disclosure authority Katie Moussouris’s Luta Security has been supporting the NCSC to ensure it is following industry best practice.

What is HackerOne?

HackerOne allows organisations to get their networks and applications tested for cyber vulnerabilities – via its centralised platform – by a largely freelance coterie of hackers. Those that can demonstrate success exploits typically earn cash.

The UK arguably lags the US somewhat in this regard. The “Hack the Pentagon” crowd-sourced security programme with HackerOne launched in 2016 and has resulted in the resolution of over 3,000 security vulnerabilities thus far.

The US’s Hack the Army programme in December 2016 surfaced 118 valid vulnerabilities and paid out $100,000. The first Hack the Air Force bug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000.

Chris Wallis, founder of Intruder, told Computer Business Review: “It’s great to see the NCSC rolling out a vulnerability disclosure programme for the U.K. Government. No organisation can hope to secure every last piece of the puzzle, so these programmes are now a crucial step for any mature cyber security operation. Many security researchers will delight in the kudos of finding weaknesses in Government systems, although for some there will remain the temptation to sell vulnerabilities to the highest bidder, especially while no monetary rewards are on offer.”

Disclosures Exempt from Equities Process

The NCSC adds: “Given the recent GCHQ publication, it’s also important to highlight that anything reported to us is exempt from the equities process and will be disclosed.”

It was referring to a recent publication that detailed why and when UK intelligence services choose not to disclose vulnerabilities in software.

See also: Landmark GCHQ Publication Reveals Vulnerability Disclosure Process

With regard to the bug bounty programme, Charl van der Walt, Chief Security Strategy Officer for SecureData Europe, earlier told Computer Business Review: “Bug bounty programmes have absolutely been a good thing.”

“They’ve given the offensive side of the fence a way to cleanly monetise vulnerabilities – selling on the black market is tricky; how do you know you’re not selling to a cop? – and generated a lot of really useful data.”

He added: “I was recently asked if participating is a bit like ‘painting a target on your head’. The short answer is no: there is no way of staying under the radar.”

“The bad guys will find you anyway. And these programmes can also really motivate a company: CISOs rarely get enough attention and participation seems to galvanise executives; things start happening that never did before.”

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU