Singapore defence ministry invites hackers to breach its systems

Country's Ministry of Defence will run a "bug bounty" programme, led by HackerOne, inviting hackers worldwide to identify vulnerabilities in its internet-facing systems.
Written by Eileen Yu, Senior Contributing Editor

Singapore's Ministry of Defence (Mindef) is turning to the global community of ethical hackers for help in identifying vulnerabilities in its internet-facing systems.

Specifically, some 300 selected white hackers would be invited to penetrate eight such systems, including the ministry's public website, NS Portal, and Defence Mail.

The move marked the first time the ministry had embarked on a crowdsourcing effort to uncover bugs in its systems, said Mindef's cyber chief David Koh, who also is head of Cyber Security Agency.

Called the Mindef Bug Bounty Programme, the initiative would kick off on January 15 and end on February 4 next year.

Hackers would receive bounties for each "valid and unique" bug they found, Koh said, adding that the scheme was necessary to help the ministry keep up with the fast-changing cyber landscape.

He noted that it was impossible for any company, on its own, to fully secure modern software systems with new vulnerabilities uncovered every day.

Mindef in February suffered a security breach that compromised the personal data of 850 national servicemen and employees. The incident involved its I-net system, which supported web-connected computer terminals its employees and national servicemen used for personal online communications or internet browsing.

The ministry then had said the system did not contain any classified military data, which were used on a separate system with no connection to the internet and had more stringent security features.

Rewarding business in bug bounty

Mindef had brought on global bug bounty vendor, HackerOne, to run its bug bounty programme, but gave no indication of how much hackers would receive for discovering bugs. The US vendor, however, had previously offered rewards of up to US$30,000 for the most critical security flaws.

Mindef certainly is not the first government agency to turn to bounties. The US government in March 2016 ran its 24-day Hack the Pentagon bug bounty programme, which uncovered 138 vulnerabilities and saw a total of US$70,000 awarded to researchers. The highest bounty was US$3,500, with the average worth US$588.

HackerOne estimated that, by 2020, ethical hackers could earned US$100 million in bug bounties on its platform and for resolving 200,000 bugs. More than 100,000 currently were registered with HackerOne, which had paid out more than US$20 million in bounties, to date.

Editorial standards