Singapore government to run another bug bounty

Its third with bug bounty platform HackerOne, the Singapore government is looking to identify potential security holes across nine online digital services as well as ICT systems with high user engagement.
Written by Eileen Yu, Senior Contributing Editor

The Singapore government is planning another bug bounty programme to identify potential security holes across nine of its online digital services as well as ICT systems that facilitate high user interaction. Depending on the severity of bug identified, between US$250 and US$10,000 will be paid out for each unique, validated security vulnerability report.

Led by Singapore Government Technology Agency (GovTech) and Cyber Security Agency, the bounty programme was scheduled to run from July to August 2019, according to HackerOne. This is the third bug-hunting exercise the bounty platform will be running for the Singapore government, following to others involving GovTech and the Ministry of Defence (Mindef).

Some 200 international hackers and 100 local hackers would be invited to participate in the latest bug hunt, with participants invited based on their previous performance metrics on HackerOne's platform. The exercise would run over three weeks, with the results slated to be unveiled in September 2019. 

The nine online ICT systems and digital services put to test would include the website of Monetary Authority of Singapore, Singapore Land Authority's OneMap website and mobile app, as well as SingPass and MyInfo, which were personal accounts and profiles used by citizens to access e-government services. 

GovTech's first bug bounty programme was held earlier this year and had involved 400 local and international hackers, who collectively identified 26 vulnerabilities and earned almost US$12,000 for their effort. Five online government ICT systems and digital services were tested in the initiative. 

Mindef's HackerOne programme in early-2018 led to the discovery of 35 vulnerabilities.

HackerOne's director of programme management Paul Griffin said: "Tapping the skilled and global hacker community is the most efficient way to approach security testing. The latest bug bounty program continues to signal momentum in the constant battle against malicious actors on the internet."

Singapore's public sector has been the target of cybercriminals in recent years that, amongst others, compromised the personal data of 1.5 million SingHealth patients and 850 national servicemen and employees. Security lapses also affected 14,200 individuals with HIV and 808,201 blood donors, exposing their personal information. 

CSA last month released a report that revealed a a drop in the number of common cyber threats last year, but projected more frequent data breaches and disruptive attacks against the cloud in the near future. It noted that there were 605 instances of website defacements last year compared to 2,040 in 2017, with most of the affected websites owned by small and midsize businesses (SMBs).


Singapore updates guidelines on data breach notification and accountability

Expected to be included as part of the upcoming amendment to the country's data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.

Singapore arms up on cyberdefence experts, opens cyberdefence school

Country's defence ministry plans to hire 300 specialists trained in areas such as network monitoring and vulnerability assessment to better safeguard its systems and has opened a school to arm future recruits with cyberdefence skillsets.

Singapore to offer bug bounty, set up Asean cybersecurity centre

Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.

Singapore public sector reports yet another security lapse

Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.

Dropbox uncovers 264 vulnerabilities in HackerOne Singapore bug hunt

Cloud storage vendor forks out US$319,300 in a one-day bug bounty programme that galvanised 45 HackerOne members in Singapore, where two hackers discussed their strategy and offered advice for businesses to better secure their systems.

Editorial standards