Singapore’s New Bug Bounty Program Launched with Reward Worth $150,000

Recently, the Singapore Government Technology Agency (GovTech) has introduced a new Vulnerability Rewards Programme (VRP) on HackerOne to ensure bug bounty rewards of up to $150,000.

To participate in this program or know more about the same, submit your application HERE.

The GovTech is already running a Government Bug Bounty Programme or GBBP and Vulnerability Disclosure Programme (VDP). By operating three crowdsourced vulnerability discovery initiatives, it is looking to leverage continuous reporting and seasonal testing to support routing pen-testing operations by the government.

“Together, the three crowdsourced vulnerability discovery programs supplement GovTech’s suite of cyber security capabilities to safeguard the government’s Infocomm Technology and Smart Systems (ICT&SS),” says the agency.

The expanded VDP is made available to the public to detect and report security vulnerabilities, but only white hat hackers who meet strict guidelines are allowed to take part in VRP and GBBP due to the involvement of critical systems.

Selected systems are available for testing; while the new VRP facilitates the continuous testing of a broad range of critical ICT systems supporting the delivery of important digital government services.

Vulnerability reports delivered through the VRP might qualify for financial rewards ranging between $250 and USD 5,000, based on the complexity of vulnerability. Security potholes that can inflict “exceptional impact on selected systems and data” can be qualified for a special bounty of up to $150,000.

According to GovTech, this special bounty is “benchmarked against crowdsourced vulnerability programs conducted by global technology firms such as Google and Microsoft.

This signals the Singapore Government’s commitment to secure critical ICT systems and sensitive personal data.”

In the initial stages, the VRP will be available for three systems—Member e-Services (Ministry of Manpower – Central Provident Fund Board), Singpass and Corppass (GovTech), and Workpass Integrated System 2 (Ministry of Manpower).

With the VRP being available on HackerOne, the platform is meant to screen the white hat hackers who will be allowed to take part in the initiative. Testing will be conducted through a dedicated VPN gateway to be provided by HackerOne.

Participants who violate the Rules of Engagement or ROE might have their VPN access terminated.

The agency has launched the first crowdsourced vulnerability discovery program in 2018. Since then, it has teamed up with more than 1000 white hat hackers to identify nearly 500 valid vulnerabilities. According to the officials, this program will let the government access the global pool of cyber security talents to build a secure smart nation.

This latest drive is another initiative made by the Singapore government to show its commitment to raise data and cybersecurity.

In August 2021, Singapore entered an agreement with the US to improve cooperation and knowledge sharing about cyber risks aiming at financial institutions.

Leave a Reply

Your email address will not be published.