The Government Technology Agency (GovTech) and the Cyber Security Agency of Singapore (CSA) have successfully concluded the second Government Bug Bounty Programme (BBP).
As a quick refresher, the first BBP was conducted from December 2018 to January 2019, where over 400 ‘white hat’ hackers found 26 validated vulnerabilities in five Internet-facing systems with high-user touch points.
During the first BBP, hackers got a total payout of US$11,750.
This edition of the BBP was conducted from 8 to 28 July 2019, and covered nine Internet-facing government ICT systems and digital services with high user touchpoints: SingPass and MyInfo (GovTech); OneMap website and mobile (Singapore Land Authority); MASNET and MAS corporate website (Monetary Authority of Singapore); Parents Gateway (Ministry of Education); and SGWorkPass mobile and Check Work Pass Status e-Service (Ministry of Manpower).
This year, 31 validated vulnerabilities were found, and out of the 31, four were considered ‘high severity’ and the remaining 27 were ‘medium/low severity’.
All vulnerabilities have been remediated.
This year, 290 local and overseas cybersecurity researchers and white hat hackers participated. 70 of them were Singaporeans, of which 30 participated in the first BBP.
The total bounty paid out this year was US$25,950 (~S$35,880).
Seven out of the top 10 awarded bounty participants were Singaporeans.
The top white hat hacker was 24-year-old Singaporean NSF Eugene “spaceraccoon” Lim who found 9 vulnerabilities and was awarded US$8,500 (S$11,752) in bounty.
Currently a logistics sergeant in the Singapore Armed Forces, he had disrupted his national service in 2014 for his studies at Yale University, where he did computer science and history.
In an interview with The Straits Times, he shared that he only started learning hacking last year by “looking up free resources online”.
He added that he found it a challenge to juggle his duties as an NSF while taking part in the BBP.
“As an NSF, my first commitment is to my military duties and I only have time to hunt on weekends.”
He will work as a civil servant upon completing NS next year, and expressed that he has plans to take part in more bug bounty programmes.
“It’s a great way to get practical experience in information security. There are many different types of bug bounties, including mobile and native apps, so there’s always something new to learn.”
This year’s BBP also saw the launch of a Vulnerability Disclosure Programme (VDP) on 1 October.
The VDP invites members of the public to identify and report the discovery of vulnerabilities found in all government internet-facing web-based and mobile applications.
Members of the public can choose to use the vulnerability disclosure link (“Report Vulnerability”) incorporated into all Government webpages and mobile applications or email firstname.lastname@example.org with details of the suspected vulnerability.
Find out more about the VDP here.