🚀💳 Trustee Plus - більше ніж криптогаманець з європейською платіжною карткою. Спробуй 👉
Вікторія ГорбікWar
17 March 2025, 09:00
2025-03-17
On the way to echeloned defense. How the DOT-Chain military support system was tested
During the Kyiv International Cyber Resilience Forum 2025, the procurement agency of the Ministry of Defense «State Operator of Logistics» (DOT), together with the Ukrainian cybersecurity IT company Cyber Unit Technologies, organized a Bug Bash for the DOT-Chain IT system for managing the logistics needs of the Armed Forces of Ukraine.
SecOps or the lead developer of information protection systems of the DOT Information Security Department, Volodymyr Sukalo, and George Paparyga, an expert in conducting coordinated vulnerability detection activities and a member of the board of the Cyber Warfare Research Institute, as well as DOT representatives, told dev.ua about the testing mechanisms and the participant selection process.
During the Kyiv International Cyber Resilience Forum 2025, the procurement agency of the Ministry of Defense «State Operator of Logistics» (DOT), together with the Ukrainian cybersecurity IT company Cyber Unit Technologies, organized a Bug Bash for the DOT-Chain IT system for managing the logistics needs of the Armed Forces of Ukraine.
SecOps or the lead developer of information protection systems of the DOT Information Security Department, Volodymyr Sukalo, and George Paparyga, an expert in conducting coordinated vulnerability detection activities and a member of the board of the Cyber Warfare Research Institute, as well as DOT representatives, told dev.ua about the testing mechanisms and the participant selection process.
About testing in general
DOT has deployed a test environment, i.e. a copy of the system in a closed loop, for two DOT-Chain modules:
FOOD — an already launched food supply system to divisions;
Defence — a ready-to-release module, with the help of which the Armed Forces of Ukraine units will be able to independently select the necessary electronic warfare/electronic warfare drones, ground robotic complexes, and control stations.
Photo bunker
Over the course of two days, March 11 and 12, DOT gathered so-called ethical or «white» hackers and gave them access to test the DOT-Chain system. Volodymyr noted that due to the curfew, the organizers were unable to hold the event for two days in a row, as is customary in world practice. Therefore, the hackers came in the morning, went home in the evening, and had the opportunity to test the system at night from home, then returned to the location the next day and tested the system.
Photo bunker
Hunters were able to search for certain vulnerabilities that affect the security of the system during the day, from morning until evening, at a specially designated location in Kyiv, as well as at night from home.
«This is a very difficult job. We have few such specialists in Ukraine,» emphasized Volodymyr Sukalo.
The DOT-Chain testing format differed from other similar events in that it was held in the form of a hackathon, where a large number of ethical hackers simultaneously tested the system for vulnerabilities for a limited time. This approach allows you to quickly identify potential threats and assess the resilience of digital infrastructure under intense load.
The DOT prepared the event together with the Cyber Unit Technologies company and with the support of the National Cybersecurity Coordination Center (NCCC) under the National Security and Defense Council of Ukraine, the Ministry of Foreign Affairs of Ukraine, and the technical partner — the Institute for Cyber Warfare Research (ICWR).
Who tried to «hack» the system?
Anyone who wanted to participate in the DOT-Chain testing was able to apply, George Paparyga reported. Certain requirements were imposed on «white» hackers. In particular:
A participant may be a citizen of Ukraine.
The Participant did not participate in any part of the development, administration and/or implementation of the System.
The Participant is not currently or has not been within the last six months an employee and/or provider of services to the Administrator related to the development, administration, support, etc. of the System.
The participant is not a person subject to sanctions requirements imposed in Ukraine or contained on the website sanctions.nazk.gov.ua .
A participant can be both an individual and a business entity — an individual entrepreneur.
Photo bunker
Identification of individuals was carried out and all participants were selected through a public announcement.
According to the results of the open selection for participation in Bug Bash, there were:
34 registered participants,
The organizers sent approvals to 27 participants.
20 of the selected bughunters participated in Bug Bash and came for testing.
About testing safety
Given the potential risks of Bug Bash, all hackers were validated and their applications were checked for security.
Alena Zhuzh, IT advisor to the «State Operator of the Rear» (Photo by DOT)
«The Bug Bash format is relatively new for the Ukrainian GovTech sector. And we are glad that DOT became one of the first government organizations to use it to test its own product,» comments Alyona Zhuzha, IT Advisor at DOT.
In addition, as Volodymyr Sukalo noted, the test environment was provided to the hunters without productive data or even a hint of it. And the environment itself was turned off immediately after the Bug Bash.
«This way, no one will get additional access, because in the production environment we don’t even have test accounts that we created for bug hunters,» the specialist emphasized.
Summing up the testing results, Alyona Zhuzha noted that overall DOT-Chain showed its resilience. The DOT IT advisor added that all the information obtained as a result of the event will be used by the team to improve the system and make it even more reliable.
What were you looking for or finding?
All vulnerabilities found by hackers are verified according to a scale defined by cybersecurity experts and divided into Low, Medium, High, and Critical statuses.
Photo bunker
The vulnerability calculator, according to Volodymyr, takes into account many nuances, including:
whether user iteration is required,
can a hunter exploit this vulnerability removed,
Does he need additional privileges on the system before exploiting this vulnerability?
what the potential impact could be from exploiting this vulnerability.
What you couldn’t do during the test
According to Volodymyr, there were no technical restrictions for hunters as such. However, hackers were forbidden to use commercial automatic scanners. «Because, firstly, this is something that we can launch ourselves, and secondly, this event was planned as manual testing. In particular, this is the case when you need to show your skills, abilities, experience, see how the system works and try to find some problem,» the specialist explains. He also added that hunters had restrictions on availability testing, that is, DDOS attacks.
In addition, the DOT-Chain system has several layers of protection, which were disabled for testing so that bug hunters could find more vulnerabilities.
«We want to create a Defense in depth scheme, that is, an echeloned defense that could screen out attackers at each level of defense, right down to the code itself,» noted SecOps DOT.
Why do participants need this?
Depending on the number of vulnerabilities found and their status, the hunters scored a certain number of points and entered the leaderboard. The top three received financial rewards from partners.
The size of their rewards depended on the number and criticality of the problems found. Following the event, the three best participants were awarded on the main stage of the forum:
Alona — 487,000 UAH
Whit3_L1ght — 56,000 UAH
Nigel — 56,000 UAH
Bug Bash organizers emphasized that programs like Bug Bounty are not new to Ukraine — some banks and Prozorro SE have already implemented or continue to conduct such testing. In addition, DOT representatives hope that such competitions will become a regular practice for all critical infrastructure operators and government agencies that manage state registries.
About DOT-Chain
In September, the procurement agency of the Ministry of Defense «State Operator of Logistics» (DOT) launched an IT system for managing the logistics needs of the Armed Forces of Ukraine DOT-Chain. Thanks to the system, the cycle of food supply to units was reduced by 4 times. From 2025, the developers plan to expand the functionality and enable units of the Armed Forces of Ukraine to independently select the necessary electronic warfare/electronic warfare drones, ground robotic complexes and control stations through the DOT-Chain system.
The development of the IT system cost $80,000, not including the work of full-time employees of the State Logistics Operator. At the end of 2024, the functionality of the system was expanded and the ability to file claims regarding the quality of products in the Armed Forces of Ukraine was added.
Alena Zhuzha reported during the Kyiv International Cyber Resilience Forum 2025 that the release of an online system for ordering drones by the military can be expected in the coming month.
Salaries are higher than in ministries, the probability of booking and processes are like in a business company. What is known about the IT department at the «State Operator of Rear Services» and who is currently being sought in the team developing the Dot-chain IT system
From 2025, units of the Armed Forces of Ukraine will be able to independently select the necessary drones and electronic warfare equipment through the DOT-Chain system
The development of the DOT-Chain IT system for supporting the troops cost $80,000, not including the work of full-time employees of the State Logistics Operator.
