Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Singapore Government Launches New Bug Bounty Program

The Singapore Government Technology Agency (GovTech) on Tuesday introduced a new Vulnerability Rewards Programme (VRP) on HackerOne that offers bug bounty rewards of up to $150,000.

The Singapore Government Technology Agency (GovTech) on Tuesday introduced a new Vulnerability Rewards Programme (VRP) on HackerOne that offers bug bounty rewards of up to $150,000.

GovTech already runs a Government Bug Bounty Programme (GBBP) and a Vulnerability Disclosure Programme (VDP), but aims to further expand its cybersecurity capabilities to better protect the Government’s Infocomm Technology and Smart Systems (ICT&SS).

By running three crowdsourced vulnerability discovery programs, GovTech aims to ensure it can take advantage of continuous reporting and seasonal in-depth testing that complement routine pen testing operations run by the government.

The expanded VDP is open to all members of the public to identify and report security holes in Internet-facing systems, but only white hat hackers who meet strict criteria are allowed to participate in the GBBP and VRP, because higher-value systems are involved.

[ Related: Google Paid $30M in Bug Bounty Rewards Over 10 Years ]

Selected systems are open for testing for each iteration of the seasonal GBBP, while the new VRP is meant to ensure continuous testing of a broad range of critical ICT systems that support the delivery of essential digital government services.

Vulnerability reports submitted through the VRP may qualify for monetary rewards ranging between $250 and US$5,000, based on vulnerability severity. Security flaws that could cause “exceptional impact on selected systems and data” may qualify for a special bounty of up to $150,000.

“The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft. This signals the Singapore Government’s commitment to secure critical ICT systems and sensitive personal data,” GovTech says.

Initially, the VRP will cover three systems, namely Member e-Services (Ministry of Manpower – Central Provident Fund Board), Singpass and Corppass (GovTech), and Workpass Integrated System 2 (Ministry of Manpower).

With the VRP running on HackerOne, the platform will be responsible for vetting the white hat hackers who will be allowed to participate. Testing will be performed through a designated virtual private network (VPN) gateway that HackerOne will provide. Participants who break the permitted Rules of Engagement (ROE) may have their VPN access revoked.

Related: Singapore Ministry of Defence Launches New Bug Bounty Program

Related: Singapore Government Announces Third Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.