Hackers to get monetary rewards as part of GovTech’s new vulnerability discovery programme

SINGAPORE: A new crowdsourcing programme that rewards white hat hackers who discover vulnerabilities has been launched, the Government Technology Agency of Singapore (GovTech) said in a media release on Tuesday (Aug 31).

The Vulnerability Rewards Programme will start with three systems, the agency said: GovTech's SingPass and CorpPass; the Ministry of Manpower (MOM) and Central Provident Fund's member e-services; and MOM's Workpass Integrated System. 

More systems will be added to the programme progressively, GovTech said. 

Only white hat hackers who have met "strict criteria" will be allowed to participate, the agency added, as the systems involved are critical to delivering essential Government services. 

Checks will be conducted by US-based bug bounty company, HackerOne.

Rewards for vulnerabilities found can range from US$250 to US$5,000 depending on its severity, GovTech said. 

A special bounty of up to US$150,000 is also offered for the discovery of vulnerabilities that could cause "exceptional" impact on selected systems and data.

Selected systems under the new rewards programme have categories outlining the consequences that qualify as exceptional impact. The categories will apply only to the respective systems and white hat hackers will be informed of the categories after they have registered.

"The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft," said GovTech in the media release.

THIRD CROWDSOURCED VULNERABILITY PROGRAMME

The Vulnerability Rewards Programme is the third crowdsourced vulnerability discovery programme by the agency.

The Government Bug Bounty Programme, launched in 2018, invites white hat hackers to conduct in-depth testing of selected Government systems to discover vulnerabilities.

Bounties are paid for valid vulnerabilities depending on the severity of the discovered "bug", which is then reported to the respective agency for remediation.

A second crowdsourced programme, the Vulnerability Disclosure Programme, was launched in 2019. 

Members of the public are invited to report vulnerabilities found in any Government websites and mobile applications. 

Valid vulnerabilities were rewarded with HackerOne points. 

Since launching the first programme in 2018, the agency has partnered with more than 1,000 white hat hackers to discover about 500 valid vulnerabilities, said assistant chief executive for governance and cybersecurity at GovTech Lim Bee Kwan.

"The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure Smart Nation," Ms Lim said.