The Government Technology Agency (GovTech) and Cyber Security Agency (CSA) of Singapore announced today that it will be conducting the second Government Bug Bounty Programme (GBBP) from July to August 2019.
The first GBBP happened earlier this year, from December 2018 to January 2019, and came about as a partnership with HackerOne, the world’s largest community of cybersecurity researchers and white hackers.
The event saw around 400 ‘white hat’ hackers participating.
Out of the 400, a quarter of them were from Singapore, with the rest coming from countries like India, Chile, Finland, and the US.
During the GBBP, hackers were made to test five Internet-facing systems with high-user touch points – namely, the REACH website; Ministry of Communications & Information’s (MCCI) Press Accreditation Card (PAC) Online; Ministry of Foreign Affairs (MFA) website; and MFA eRegister.
Hackers managed to find 26 validated vulnerabilities and got a total payout of US$11,750 (S$15,914).
7 out of the top ten awarded bounty participants were from Singapore.
Out of these vulnerabilities, seven were considered low severity, 18 were medium severity, and one was high severity.
‘Hacking’ Nine Gov’t Digital Services
This time around, the GBBP will run for three weeks, and will be expanded to cover nine of these government ICT systems and digital services.
They are: SingPass and MyInfo (GovTech); OneMap website and mobile (Singapore Land Authority); MASNET and MAS corporate website (Monetary Authority of Singapore); Parents Gateway (Ministry of Education); and SGWorkPass mobile and CheckWorkPass Status e-Service (Ministry of Manpower).
Participating ‘white hat’ hackers will be required to register with HackerOne, and will stand to receive rewards ranging from US$250 to US$10,000, depending on the severity of the discovered vulnerability.
Discovered vulnerabilities will be reported to the relevant organisation for remediation, and key findings will be shared in September 2019.