Parliament: Hackers find 26 vulnerabilities in govt bug bounty programme, all bugs fixed

Mr Teo Wei Sheng was one of 400 ethical hackers who took part in the Government Bug Bounty Programme. The 22-year-old found two vulnerabilities and was given US$1,000 (S$1,300) for his efforts.
Mr Teo Wei Sheng was one of 400 ethical hackers who took part in the Government Bug Bounty Programme. The 22-year-old found two vulnerabilities and was given US$1,000 (S$1,300) for his efforts.PHOTO: GOVTECH

SINGAPORE - In their first year of university, most undergraduates would be learning how to juggle between school, co-curricular activities and their personal lives.

As he did all that, Mr Teo Wei Sheng, 22, also found the time to hack into government systems, and walked away with a cool US$1,000 (S$1,300) for doing so.

Mr Teo was one of 400 "white hat" hackers, or ethical hackers, invited by the Government in December last year to look for internal vulnerabilities in a handful of systems and websites.

After finding a total of 26 bugs and fixing them, the Singapore Government has decided to expand the programme to include more systems, Senior Minister of State for Communications and Information Janil Puthucheary told Parliament on Monday (March 4).

Dr Janil was speaking during the debate on the budget of the Ministry of Communications and Information and was addressing remarks by Mr Vikram Nair (Sembawang GRC), who had asked how the Government assesses the cyber security of its systems.

The Government Bug Bounty Programme (GBBP) has "raised our cyber-security standards", said Dr Janil, who also helps oversee the Government Technology Agency (GovTech) that maintains government systems.

"We gained insights into potential attack vectors, better secured our Web applications, and we improved our mechanisms for patching vulnerabilities effectively and comprehensively," he said.

GovTech and the Cyber Security Agency (CSA), which both organised the GBBP, said in a joint statement on Monday that out of the 26 bugs found, 18 were classified as "medium" severity and one was said to be of "high" severity. The remaining seven were of "low" severity.

The agencies said that the total payout for the programme, which took place from Dec 27 last year to Jan 16, was US$11,750.

Although only a quarter for the 400 participants were local, seven out of the top 10 hackers were from Singapore.

In order to participate, these ethical hackers had to be registered with GovTech's appointed bug bounty company, US-based HackerOne.

As part of the contract requirements, the participants' credentials were vetted and verified by HackerOne before they were allowed to take part in the GBBP.

Hackers chosen for the GBBP also had to sign an agreement not to share about the vulnerabilities they found.

GovTech and CSA said that they will conduct another GBBP this year to include more government systems and websites.

Mr Teo was one of the seven local participants who had emerged among the top 10. He had found two vulnerabilities, and was given US$500 for each of them.

He is also one of the youngest participants in the programme, the youngest being 18.

Recounting his experience, Mr Teo said: "Bug bounty programmes are a very good way of applying my skills and to learn from some of the best hackers locally and globally."

This is the second time the Government has organised such a programme.

In December 2017, a bug bounty programme was conducted for the Ministry of Defence. As a result, 35 valid bugs, including two classified as "high" severity, were found and fixed.

The 17 successful hackers received a total of US$14,750 in bounties. Their rewards ranged from US$250 to US$2,000.