The Government Technology Agency (GovTech) and Cyber Security Agency (CSA) successfully ended the second Government Bug Bounty Programme (BBP) that they have successfully concluded.
These findings were released at the side-lines of the Singapore International Cyber Week 2019.
This second BBP held from 8 to 28 July 2019. This programme is a part of the Government’s ongoing efforts for building a protected and strong Smart Nation.
It includes the use of traditional procedures of vulnerability assessment and penetration testing, which allows the government to understand its defence systems and compare it against those of the global and local community of researchers and white hats.
The programme spanned across nine Internet-facing government ICT systems and digital services which possess high user touchpoints:
- SingPass
- MyInfo (Govtech)
- OneMap website and mobile (Singapore Land Authority)
- MASNET (Monetary Authority of Singapore)
- MAS corporate website (Monetary Authority of Singapore)
- Parents Gateway (Ministry of Education)
- SGWorkPass mobile (Ministry of Manpower)
- Check Work Pass Status e-Service (Ministry of Manpower)
Highlights of programme
- Four “high severity” vulnerabilities identified out of 31 proven vulnerabilities
- Remaining 27 were “medium” or “low” vulnerabilities
- 290 local and overseas cybersecurity researchers and white hat hackers were involved
- 70 participants from Singapore, with 30 of them having participated in the first Government BBP
- US$25,960: total bounty paid out
- Seven out of top 10 award recipients of the second BBP were Singaporeans
- “spaceraccoon”- the top white hacker is a Singaporean who found nine vulnerabilities and as been awarded US$8,500 in bounty
Based on the success in detecting vulnerabilities, the Singapore Government will be rolling out a third BBP in November 2019. This programme will be focused on expanding to more government ICT systems and digital services.
Vulnerability Disclosure Programme
In line with this, a Vulnerability Disclosure Programme (VDP) was launched by GovTech, on 1 October, on the HackerOne platform. HackerOne is the top e-hacker-powered pen testing and bug bounty platform.
GovTech has invited members of the public to detect and report the discovery of vulnerabilities found in all government internet-facing web-based and mobile applications.
VDP was established by GovTech to promote the prompt reporting of suspected vulnerabilities in IT services, systems, resources and/or processes which could pose threats to Government internet-accessible applications.
First Government BBP
The first Government BBP was carried out from 27 December 2018 to 16 January 2019.
The Bug Bounty programme was launched with the objective of strengthening Singapore’s defence networks and systems, which present an attractive target for malicious cyber activity. Selected white hat hackers from around the world invited to test MINDEF’s Internet-facing systems for vulnerabilities (or “bugs”) in return for rewards.
The programme facilitated by HackerOne, a reputable international bug bounty company.
A total of 264 white hats from around the world participated in this programme, including participants from Canada, Egypt, India, Ireland, Pakistan, Romania, Russia, Singapore, Sweden, and the United States.
There were 100 from the local white hat community and 164 (including 57 of the top 100 ranked white hats in HackerOne’s network) from HackerOne’s network of about 175,000 international white hat hackers.
34 participants submitted 97 vulnerability reports, of which 35 reports were deemed valid. The bounty amounts paid out ranged from US$250 to US$2,000. The total bounty pay-out was US$14,750.
The top overall white hat participant is Shivadagger, a local researcher. He reported nine unique vulnerabilities, receiving a total bounty of US$5,000, which is about one-third of the total bounty pay-out. He received US$2,000 for one of the high-severity bugs, and between US$250 and US$750 for his other validated bugs.