New rewards programme tests resilience of Government systems

Ethical hackers who discover and report security issues in government systems will be offered cash rewards by the Government Technology Agency’s programme

The Government Technology Agency (GovTech), a statutory board of the Singapore government, has launched a new Vulnerability Rewards Programme (VRP) to supplement the existing Government Bug Bounty Programme (GBBP) and Vulnerability Disclosure Programme (VDP). 

The agency has announced the VRP to crowdsource cyber-security expertise from the global ethical or "white hat" hacker community. Bugs found will be reported to the respective agency for remediation.

The rewards range from US$200 to US$5,000, depending on the severity of the vulnerabilities discovered. A special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause "exceptional" impact on selected systems and data. The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft. 

Ms Lim Bee Kwan, Assistant Chief Executive for Governance and Cybersecurity, GovTech, said, “Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities. The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure Smart Nation.”


How will the programme work? 


The programme will run continuously and cover three systems: Singpass and Corppass; member e-services under the Ministry of Manpower (MOM) and Central Provident Fund; and the MOM's Work Pass Integrated System. Other critical ICT systems will be progressively added to the programme.

These critical systems provide essential digital government services, so only white hat hackers who are vetted and meet strict criteria, or who are specifically invited, will be allowed to participate, GovTech said. Background checks will be conducted by HackerOne, a bug bounty platform and community of cyber-security experts and white hat hackers.

Registered participants will conduct security testing through a designated virtual private network (VPN) provided by HackerOne.

Together, the three crowdsourced vulnerability discovery programmes supplement GovTech’s suite of cybersecurity capabilities to safeguard the Government’s Infocomm Technology and Smart Systems (ICT&SS). They offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the Government. 



Featured Articles

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Magazine speaks with Radiflow’s CEO, Ilan Barda, about converging IT and OT and how leaders can better protect businesses from cybersecurity threats

QR ‘Quishing’ scams: Do you know the risks?

QR code scams, or Quishing scams, are rising and pose a threat to both private users and businesses as cyberattacks move towards mobile devices

Zero Trust Segmentation with Illumio’s Raghu Nandakumara

Head of Industry Solutions at Illumio, Raghu Nandakumara, offers insight into the proposed ban on ransom payments and how businesses can utilise Zero Trust

Is the password dead? Legacy technology prevents the shift

Network Security

Fake Bard AI malware: Google seeks to uncover cybercriminals

Technology & AI

Gartner report highlights threat of supply chain attacks

Cyber Security