Singapore defence ministry runs second HackerOne bug bounty programme

Dangling bounties ranging from $150 to $10,000, Singapore's Ministry of Defence hopes to uncover vulnerabilities in 11 internet-facing systems and websites with the help of 400 white-hat hackers from the HackerOne global community.

Singapore's Ministry of Defence (Mindef) has kicked off its second bug bounty programme with the hopes of uncovering vulnerabilities in 11 internet-facing systems and websites. It has engaged previous collaborator HackerOne, inviting 400 white-hat hackers to participate in this year's exercise where bug bounties ranging from $150 to $10,000 are up for grabs.

Running from September 30 to October 21, the bug bounty programme will include systems that belong to the ministry as well as the Singapore Armed Forces and other agencies in the defence sector, Mindef said in a statement. The exercise this year also will have a stronger focus on personal data protection, with additional bounties to be awarded for vulnerabilities that could result in the loss of personal data, the ministry said. 

Compared to this year's 11 systems, eight systems were the points of target in the ministry's first bounty programme last year. 

Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including PM

Government describes attack as "deliberate, targeted, well-planned" and assures no medical data has been tampered with, but security vendors warn compromised data may end up for sale on the Dark Web.

Read More

Among the 400 hackers participating in the second bounty programme, 200 are based in Singapore -- which is twice the number in 2018 when 264 hackers took part. 

According to HackerOne, 35 bugs were identified and resolved in Mindef's bug bounty programme last year, with a total bounty of $14,750 dished out to participants. Citing its 2019 Hacker-Powered Security Report, the bug bounty platform said organisations in Singapore, including the National University of Singapore and GovTech, also ran bounty programmes and awarded hackers more than $270,000 -- the highest amount in the Asia-Pacific region.

Mindef's programme manager at HackerOne, Fifi Handayani, said: "We want to applaud Mindef for being one of the first few government agencies to embrace such a forward-thinking approach to security. [Its] continued investment in hacker-powered security exemplifies the value governments and companies see from partnering with the hacker community to reduce risks." 

Singapore's defence sector in February unveiled plans to arm itself with 300 specialists trained in cybersecurity skills as part of efforts to better safeguard its systems and networks. It also opened a school to prepare future recruits with relevant skillsets in cyberdefence. The new hires will carry out various tasks such as cyber incident responses, vulnerability assessments, as well as being responsible for operations planning and policy formulation, among others. 

RELATED COVERAGE

Singapore arms up on cyberdefence experts, opens cyberdefence school

Country's defence ministry plans to hire 300 specialists trained in areas such as network monitoring and vulnerability assessment to better safeguard its systems and has opened a school to arm future recruits with cyberdefence skillsets.

SingHealth breach review recommends remedies that should already be basic security policies

The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.

Singapore to offer bug bounty, set up Asean cybersecurity centre

Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.

Singapore updates guidelines on data breach notification and accountability

Expected to be included as part of the upcoming amendment to the country's data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.

Singapore public sector reports yet another security lapse

Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.