GovTech launches vulnerability rewards programme

Vulnerability rewards programme will offer rewards ranging from $250 to $5,000 to white hat hackers who find vulnerabilities in critical government systems

Singapore’s Government Technology Agency (GovTech) has launched a Vulnerability Rewards Programme (VRP) to augment its existing bug bounty and vulnerability disclosure programmes, in a bid to shore up the security of government IT systems.

The VRP, which focuses on critical IT systems, and the existing bug bounty programme, which focuses on selected systems, is open only to white hat hackers. The vulnerability disclosure programme is open to the public for disclosures of vulnerabilities in internet-facing systems.

GovTech said the three crowdsourced vulnerability discovery programmes will “offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government”.

The VRP will offer rewards ranging from $250 to $5,000 to white hat hackers, depending on the severity of the vulnerabilities discovered. A special bounty of up to $150,000 will be awarded for the discovery of vulnerabilities that could cause exceptional impact on selected systems and data.

GovTech said the special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft.

For a start, the VRP will cover three systems: Singpass and Corppass (GovTech); Member e-Services (Ministry of Manpower – Central Provident Fund Board); and Workpass Integrated System 2 (Ministry of Manpower). More critical ICT systems will be progressively added to the programme.

As these systems are critical to the delivery of essential digital government services, only white hat hackers who have met the strict criteria will be allowed to participate, GovTech said.

Read more about cyber security in APAC

These checks will be conducted by the appointed bug bounty company, HackerOne. Registered participants will conduct security testing through a designated virtual private network (VPN) gateway provided by HackerOne.

This will ensure that the security testing activities are within the permitted rules of engagement. If participants breach the rules, their VPN access may be revoked to minimise potential disruptions to the integrity of government systems.

“Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities,” said Lim Bee Kwan, assistant chief executive for governance and cyber security at GovTech.

“The new Vulnerability Rewards Programme will allow the government to further tap the global pool of cyber security talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management