Singapore government expands bug hunt with hacker rewards scheme
Singapore is offering payouts of up to $5,000 for white hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government’s efforts to involve the community in assessing its ICT infrastructure.
The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. It also runs bug bounty and vulnerability disclosure programmes, the latter of which is available to the public to report potential security holes.
“The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government,” GovTech said in a statement Tuesday.
The government CIO office said the bug bounty programmes were “seasonal”, focusing on five to 10 critical and “high-profile” systems during each run. The new rewards scheme, though, would be ongoing and “continuously test” a wider range of critical ICT systems needed to deliver essential digital services, it said.
Depending on the severity of vulnerabilities uncovered, between $250 and $5,000 would be offered to hackers that are approved to participate in the rewards programme.
In addition, a special bounty of up to $150,000 could be awarded for vulnerabilities identified to potentially cause “exceptional impact” on selected systems and data. Details outlining such vulnerabilities would be provided to registered hackers and would apply only to selected government systems.
According to GovTech, the special bounty would be measured against global crowdsourced vulnerability programmes, such as those run by technology vendors such as Google and Microsoft.
The new rewards scheme would initially encompass three public-sector systems, namely, SingPass and CorpPass; member e-services under the Manpower Ministry and Central Provident Fund Board; and WorkPass Integrated System 2, which is operated by the Manpower Ministry.
The programme will also be extended to include more critical ICT systems progressively, GovTech said.
Only hackers who meet a set of criteria will be permitted to participate in the rewards scheme, with checks to be conducted by bug bounty operator, HackerOne.
Once approved, participants would have to conduct security assessments through a designated virtual private network gateway provided by HackerOne, and their access withdrawn if they breached the permitted rules of engagement.
GovTech’s assistant chief executive for governance and cybersecurity, Lim Bee Kwan, said the government agency first adopted crowdsourced vulnerability discovery programmes in 2018. Since then, it had worked with more than 1,000 hackers to identified 500 valid vulnerabilities.
“The new Vulnerability Rewards Programme will allow the government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation,” Lim said.
As of August 2021, the Singapore government had run four bug bounties–each lasting two to three weeks–covering 33 systems. More than $100,000 had been dished out to participants.
The public vulnerability disclosure programme was launched in October 2019 and has led to more than 900 reported vulnerabilities, as of March 2021, involving 59 government agencies. Of those, at least 400 were valid bugs that have since been plugged.
A report last month revealed that half of vulnerabilities uncovered in 2020 via the Singapore government’s bug bounty and public disclosure programmes were valid. The public sector recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”, according to the report by the Smart Nation and Digital Government Office.
Some 1,560 SingPass accounts, needed to access e-government services, were involved in a 2014 security breach where users received notifications that their passwords had been reset, despite not requesting to do so. The government then blamed the incident on the likely use of weak passwords or malware that could have been installed on the affected users’ personal devices. Two-factor authentication (2FA) was introduced the following year as part of efforts to strengthen security on the e-government platform.