Debate on ministries' budgets

Bugs fixed after ethical hackers find 26 weak spots in govt systems

Mr Teo Wei Sheng was one of 400 ethical hackers who took part in the Government Bug Bounty Programme. The 22-year-old found two vulnerabilities and was given US$1,000 (S$1,300) for his efforts.
Mr Teo Wei Sheng was one of 400 ethical hackers who took part in the Government Bug Bounty Programme. The 22-year-old found two vulnerabilities and was given US$1,000 (S$1,300) for his efforts. PHOTO: GOVTECH

In their first year of university, most undergraduates would be learning how to juggle school and co-curricular activities.

As he did all that, Mr Teo Wei Sheng, 22, also found the time to hack into government systems, and walked away with a cool US$1,000 (S$1,300) for doing so.

Mr Teo was one of 400 "white hat" hackers, or ethical hackers, invited by the Government last December to look for internal vulnerabilities in a handful of its systems and websites.

After finding a total of 26 vulnerabilities or bugs and fixing them, the Government has decided to expand the programme to include more systems, Senior Minister of State for Communications and Information Janil Puthucheary told Parliament yesterday.

He was speaking during the debate on the Ministry of Communications and Information's budget.

Mr Vikram Nair (Sembawang GRC) had asked how Singapore assesses how secure its government systems are.

Addressing the issue, Dr Janil, who also helps to oversee the Government Technology Agency (GovTech) that maintains government systems, said the Government Bug Bounty Programme (GBBP) has "raised our cyber-security standards".

"We gained insights into potential attack vectors, better secured our Web applications, and we improved our mechanisms for patching vulnerabilities effectively and comprehensively," he said.

GovTech and the Cyber Security Agency (CSA), which both organised the GBBP, said in a joint statement yesterday that out of the 26 bugs found, 18 were classified as being of "medium" severity, and one was said to be of "high" severity. The remaining seven were of "low" severity.

The agencies said that the total payout for the programme, which took place from Dec 27 last year to Jan 16, was US$11,750.

Although only a quarter of the 400 participants were local, seven out of the top 10 hackers were from Singapore.

As part of the contract requirements, the participants' credentials were vetted and verified by GovTech's appointed bug bounty company, US-based HackerOne, before they were allowed to take part in the GBBP.

Hackers chosen for the GBBP also had to sign an agreement not to share information about the vulnerabilities they found.

GovTech and CSA said that they will conduct another GBBP this year to include more government systems and websites.

Mr Teo found two vulnerabilities, and was given US$500 for each of them.

Recounting his experience, he said: "Bug bounty programmes are a very good way of applying my skills and to learn from some of the best hackers locally and globally."

Hariz Baharudin

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on March 05, 2019, with the headline Bugs fixed after ethical hackers find 26 weak spots in govt systems. Subscribe