Singapore flags $5000 rewards in bug bounty expansion

Also includes a special bounty of up to US$150,000 for the discovery of vulnerabilities that could cause “exceptional impact on selected systems and data”.
Lim Bee Kwan (GovTech)

Lim Bee Kwan (GovTech)

The Singapore government has expanded its efforts to uncover vulnerabilities in its IT systems with a new program aimed at offering rewards of up US$5000 to white hat hackers.  

The country’s Government Technology Agency (GovTech) revealed on 31 August it had launched a new Vulnerability Rewards Program (VRP) to augment its existing Government Bug Bounty Program (GBBP) and Vulnerability Disclosure Program (VDP).   

“Together, the three crowdsourced vulnerability discovery programs supplement GovTech’s suite of cyber security capabilities to safeguard the government’s Infocomm Technology and Smart Systems (ICT&SS),” the agency said in a statement.  

GovTech, which is the lead agency driving Singapore’s Smart Nation initiative and public sector digital transformation, said that the three crowdsourced vulnerability discovery programs together offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community.

“While members of the public can report suspected vulnerabilities on all internet-facing systems through the VDP, the GBBP and VRP are only open to ‘white hat’ hackers – or ethical hackers – for testing due to the higher-value systems involved,” the agency said.

“The seasonal GBBP focuses on selected systems in each iteration, whereas the new VRP aims to continuously test a wider range of critical ICT systems necessary for the continuous delivery of essential services in our digital economy,” it added.

The new, additional program offers monetary rewards ranging from US$250 to US$5000 to white hat hackers, depending on the severity of the vulnerabilities discovered.  

At the same time, a special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause “exceptional impact on selected systems and data”.  

The special bounty is designed to fall in line with, and be benchmarked against, crowdsourced vulnerability programs conducted by global technology firms such as Google and Microsoft, the agency said.  

However, GovTech noted that only selected systems under the VRP have categories outlining the consequences that qualify as “exceptional impact”.  

“The categories will apply only to the respective systems and white hat hackers will be informed of the categories after they have successfully registered,” it said. 

The VRP will initially cover three systems: Singpass and Corppass, which comes under GovTech’s jurisdiction; Member e-Services, which sits within the Ministry of Manpower – Central Provident Fund Board; and Workpass Integrated System 2, within the jurisdiction of the Ministry of Manpower.  

“As these are systems that are critical to the delivery of essential digital government services, only white hat hackers who have met the strict criteria will be allowed to participate,” the agency said. “These checks will be conducted by the appointed bug bounty company, HackerOne."

However, more critical IT systems will be progressively added to the program over time.   

Registered participants will be required to conduct their security testing through a designated virtual private network (VPN) gateway provided by HackerOne.  

“This is to ensure that the security testing activities are within the permitted Rules of Engagement (ROE). If participants breach the ROE, their VPN access may be revoked to minimise potential disruptions to the integrity of the government systems,” GovTech said.

Since the launch of the agency's first crowdsourced vulnerability discovery program in 2018, it has partnered with over 1000 white hat hackers to discover about 500 valid vulnerabilities, according to Lim Bee Kwan, assistant chief executive for Governance and Cybersecurity, GovTech.  

“The new Vulnerability Rewards Program will allow the government to further tap the global pool of cyber security talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation,” she said.

From GovTech’s perspective, the new rewards pledge signals the Singapore government’s commitment to secure critical IT systems and sensitive personal data.

In July, Microsoft – one of the vendors the Singapore government is endeavouring to benchmark against – extended its ongoing ‘bug bounty’ program to its Teams mobile applications, offering rewards of up to US$30,000.

The global giant previously added Teams to the security research program in March, but the move marked the first recognition of the mobile application.

Broken down, the program will offer between US$15,000 and US$30,000 for two scenario-based awards focused on vulnerabilities that have the highest potential impact on customer privacy and security.

It will also offer rewards from US$500 to US$15,000 for other eligible vulnerability reports for Teams iOS and Android mobile applications.