Budget constraints limit any immediate ambitions
The UK government remains lukewarm about the utility of bug bounty programs as a means to improve the security and resilience of its web applications.
The US Department of Defense has been a longstanding supporter of bug bounty schemes, including initiatives such as ‘Hack the Pentagon’ and ‘Hack the Army’.
Last year, the UK’s Ministry of Defence ran a successful bug bounty program in conjunction with HackerOne.
However, speaking during a media panel at last week’s CyberUK conference, Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), played down the prospect of a wider government rollout of bug bounty programmes any time soon.
Existing UK government vulnerability disclosure programs meet current objectives, according to Dr Levy.
“We have a vulnerability disclosure pilot service, where people can report bugs to us [at NCSC] and then we work with the system over the weekend in order to fix it,” Dr Levy said.
“And then, hopefully, government departments have their own vulnerability disclosure programs where people can report [issues] directly and we don’t have to get involved.
In summary and half-jokingly, Dr Levy said: “We currently don’t pay bug bounties, and the reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”
More seriously, Dr Levy noted that things had moved on since UK government departments threatened legal action against security researchers for reporting potential security problems.
“We hope we’ve put a stop to that kind of stuff,” Dr Levy said. “We hope that government is a much more responsible service owner.”
Asked to comment on the differences between the US and UK governments on the current utility of bug bounty programs, Dr Levy added “The UK is [working on] much smaller scale than the US,” he said.
Dr Levy noted that the UK’s Ministry of Defence has its own bug bounty program, adding that the agency was responsible for a large, geographically distributed series of systems and was therefore something of a special case.
If the UK were to roll out bug bounty programs across government, then it would need to ensure that baseline security standards had been achieved before inviting external security researchers to probe their web-facing assets for flaws.
Other senior UK government officials played down the possibility that public sector bug bounties will become the norm anytime soon.
Paul Maddinson, the NCSC’s director of national resilience and strategy, commented that the UK government had just gone through a spending review.
This review looked at “where do you get the most impact for the money you spend on cybersecurity and resilience”, Maddinson explained, adding that financing bug bounty roll-outs were not currently a spending priority.
“We prioritize the activity that we think can make the most significant difference with the money we’ve got,” Maddinson concluded.