The Singapore Government has announced a new short-term bug bounty program to for external hackers to find vulnerabilities in nine key government-run websites.
The bug bounty is being overseen by the Government Technology Agency of Singapore (GovTech) and the Cyber Security Agency of Singapore (CSA).
The three week bug hunting program is limited to internet-facing systems and will focus on nine widely-used systems, including the GovTech-run SingPass and MyInfo websites for transacting with government agencies online; the Singapore Land Authority’s OneMap website and and mobile app; and the Monetary Authority of Singapore’s MASNET and MAS corporate websites used by financial institutions.
Others include the Ministry of Education’s Parents Gateway; and the Ministry of Manpower’s SGWorkPass mobile and CheckWorkPass Status e-Service.
Singapore kicked off its first government three week bug bounty in December 2018, offering pre-selected researchers awards of up to $10,000 per bug. The program helped resolve 26 bugs and total rewards to researchers of just under $12,000.
Singapore’s Ministry of Defence (MINDEF) had run separate bug bounty in in early 2018 that produced 35 valid bug reports and a top individual prize of $2,000.
As with the previous GovTech and CSA bug bounty programs, this new program will be managed by third-party bug bounty firm, HackerOne. Rewards range between US$250 to US$10,000. The program will run from July to August 2019, and GovTech intends to announce key findings in September 2019.
HackerOne boasts that besides the Singapore Government, others nations’ agencies using it for bug bounties include the U.S. Department of Defense, U.S. General Service Administration, the UK’s NCSC, and the European Commission, which has an ongoing EU-FOSSA program targeting open source program.
One beneficiary of the EC’s bug bounty was the project behind popular VLC media player, which in June released its biggest security update ever. But key VLC developers were left with mixed feelings about the program because it attracted both scammers and actually technically competent hackers who helped it resolve security bugs.