Posted on August 31, 2021 at 6:44 PM
Singapore govt announces a new bug hunt scheme for white hat hackers
Singapore’s government has been one of the few in the world that has taken the increased hacking activity over the past decade seriously, and it made an effort to assess and improve its ICT infrastructure. Of course, one of the easiest ways to test the infrastructure’s strength and stability is to have hackers have a go at it.
This is something that companies around the world have been doing for years now, which is why Singapore now offered payouts of up to $5,000 for white hat hackers who manage to find flaws, bugs, and similar issues in its systems, meant for the public sector’s use.
Details about the new bog hunt
The country’s GovTech (Government Technology Agency) came up with a new program called the Vulnerability Rewards Programme. This is actually the third initiative that has the goal of enhancing the security of the local systems. It also runs vulnerability disclosure programs, as well as bug bounties.
GovTech commented on the so-called crowdsourced vulnerability discovery programs, saying that they offer a blend of constant reporting and seasonal in-depth testing capabilities. This typically includes a larger community, and their contributions only add to the penetration testing that the government itself conducts on regular basis.
The bug bounty programs are seasonal, according to the government, and they focus on 5-10 systems per run, usually those that are considered critical and high-profile. With that said, this new rewards scheme will be different. For one, it will be ongoing, and it will continuously test a wide range of critical ICT systems.
It will offer rewards for any vulnerability, with participants being able to earn anywhere from $250 to $5,000, depending on the vulnerability’s severity. There is also a special bounty of up to $150,000, which is reserved for anyone who uncovers vulnerabilities that could cause “exceptional impact.” However, what such vulnerabilities may include will only be known to the government and registered hackers. What’s more, this bounty will only apply to selected systems.
However, there is also an even more special bounty than that. This one would be measured against global crowdsourced vulnerability programs, including those run by the likes of major tech corporations such as Microsoft, Google, and alike.
According to what is known, Singapore’s government will apply the new rewards scheme to three public-sector systems, at least, initially. Those would include e-Services under the Manpower Ministry and Central Provident Fund Board — Sing Pass and CorpPass — as well as WorkPass. In addition, the program will be extended to include more critical systems, although it will reach them progressively.
The government has a history of securing systems with the help of hackers
The program will be operated by HackerOne, a well-known bug bounty operator, and it was announced that only the hackers who meet a strict set of criteria will be allowed to participate. HackerOne will conduct strict checks to ensure that only the hackers who qualify will gain access to the systems, and none other. However, that won’t be the end of it, as even those who get approved will have to conduct their security inspection through a designated VPN gateway that HackerOne will provide.
The VPN will be designed in a way where the hackers’ access will be instantly denied if they break the rules and wander off in the wrong direction while exploring the systems. So far, Singapore’s GovTech has had plenty of experience with hackers, even though it only started collaborating with them in 2018. But, in these few short years, it worked with over 1,000 of them, and more than 500 valid bugs, flaws, and vulnerabilities have been discovered and mended thanks to their efforts.
This new program is meant to allow the government to harvest the global talents of security-oriented individuals and use them for putting its systems to the test. The citizens will benefit from it as the systems will be better suited for protecting their data, the government will have peace of mind, and the hackers will get the opportunity to earn sizable rewards, provided that they can find and report valid vulnerabilities. Everybody wins.