New vulnerability rewards programme by the Singapore Government.
The Government Technology Agency (GovTech) has launched a new Vulnerability Rewards Programme (VRP) to augment the existing Government Bug Bounty Programme (GBBP) and Vulnerability Disclosure Programme (VDP). Together, the three crowdsourced vulnerability discovery programmes supplement GovTech’s suite of cybersecurity capabilities to safeguard the Government’s Infocomm Technology and Smart Systems (ICT&SS).
The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the Government.
While members of the public can report suspected vulnerabilities on all Internet-facing systems through the VDP, the GBBP and VRP are only open to ‘white hat’ hackers – or ethical hackers – for testing due to the higher-value systems involved. The seasonal GBBP focuses on selected systems in each iteration, whereas the new VRP aims to continuously test a wider range of critical ICT systems necessary for the continuous delivery of essential services in our digital economy.
The VRP offers monetary rewards ranging from US$250 to US$5,000 to white hat hackers, depending on the severity of the vulnerabilities discovered. A special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause exceptional impact on selected systems and data. The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft. This signals the Singapore Government’s commitment to secure critical ICT systems and sensitive personal data.
The programme will first cover three systems: Singpass and Corppass (GovTech); Member e-Services (Ministry of Manpower – Central Provident Fund Board); and Workpass Integrated System 2 (Ministry of Manpower). More critical ICT systems will be progressively added to the programme.
As these are systems that are critical to the delivery of essential digital government services, only white hat hackers who have met the strict criteria will be allowed to participate. These checks will be conducted by the appointed bug bounty company, HackerOne. Registered participants will conduct security testing through a designated virtual private network (VPN) gateway provided by HackerOne. This is to ensure that the security testing activities are within the permitted Rules of Engagement (ROE).
If participants breach the ROE, their VPN access may be revoked to minimise potential disruptions to the integrity of the government systems, said Lim Bee Kwan assistant chief executive for governance and cybersecurity at GovTech.
“Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities,” she said. “The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure Smart Nation.”