New rewards programme tests resilience of Government systems

Ethical hackers who discover and report security issues in government systems will be offered cash rewards by the Government Technology Agency’s programme

The Government Technology Agency (GovTech), a statutory board of the Singapore government, has launched a new Vulnerability Rewards Programme (VRP) to supplement the existing Government Bug Bounty Programme (GBBP) and Vulnerability Disclosure Programme (VDP). 

The agency has announced the VRP to crowdsource cyber-security expertise from the global ethical or "white hat" hacker community. Bugs found will be reported to the respective agency for remediation.

The rewards range from US$200 to US$5,000, depending on the severity of the vulnerabilities discovered. A special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause "exceptional" impact on selected systems and data. The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft. 

Ms Lim Bee Kwan, Assistant Chief Executive for Governance and Cybersecurity, GovTech, said, “Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities. The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure Smart Nation.”


How will the programme work? 


The programme will run continuously and cover three systems: Singpass and Corppass; member e-services under the Ministry of Manpower (MOM) and Central Provident Fund; and the MOM's Work Pass Integrated System. Other critical ICT systems will be progressively added to the programme.

These critical systems provide essential digital government services, so only white hat hackers who are vetted and meet strict criteria, or who are specifically invited, will be allowed to participate, GovTech said. Background checks will be conducted by HackerOne, a bug bounty platform and community of cyber-security experts and white hat hackers.

Registered participants will conduct security testing through a designated virtual private network (VPN) provided by HackerOne.

Together, the three crowdsourced vulnerability discovery programmes supplement GovTech’s suite of cybersecurity capabilities to safeguard the Government’s Infocomm Technology and Smart Systems (ICT&SS). They offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the Government. 



Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security