Hacker awarded US$5,000 after finding 9 vulnerabilities in MINDEF systems

Hacker awarded US$5,000 after finding 9 vulnerabilities in MINDEF systems

MINDEF bounty programme
MINDEF Defence Cyber Chief Mr David Koh handing a plaque to Darrel, the top overall white hat participant. (Photo: Ahmad Khan) 

SINGAPORE: He used to hack online video games to win prizes when he was in secondary school.

Now, this 30-year-old cybersecurity manager from Ernst & Young has been rewarded for being the top overall white hat participant in MINDEF's bug bounty programme. 

The hacker, who wanted to be known only by his codename Darrel Shivadagger, reported nine out of 35 vulnerabilities that existed in MINDEF systems, one of which was rated a "high severity" bug. He was awarded US$5,000 (S$6,606) for his efforts. 

"They (MINDEF) have systems in place that are actually quite sensitive,” Darrel said. “They actually warded off very intrusive attempts from me. I was able to find only client-side vulnerabilities. I couldn't really find anything major or server-side related.”

Darrel was one of 264 white hat hackers from around the world who participated in the programme, including people from the United States, Singapore, India, Romania, Canada, Russia, Sweden, Ireland, Egypt and Pakistan.

They were invited to try to penetrate systems - including the MINDEF’s public website, NS Portal and Defence Mail - for three weeks from Jan 15 until Feb 4.

Of those who participated, 17 spotted vulnerabilities that were valid. Of the 35 vulnerability reports, 23 were classified as "low severity", 10 "medium" and two "high". None were rated as "critical".

According to MINDEF, they responded to the hackers’ vulnerability reports within five hours on average. In total, MINDEF rewarded US$14,750 in bounties to the 17 successful hackers who participated. 

MINDEF’s Defence Cyber Chief David Koh said that the exercise was a "useful and effective programme". 

"We have started sharing our processes with other government agencies so that they understand exactly what has happened, understand the amount of resources that has been put into this." 

MINDEF added that it will continue to explore other methods to evolve and improve its defences against cyber threats.

Source: CNA/am