Hackers find 35 bugs in first Mindef bug bounty programme, $19,500 paid out

A cyber-security manager at Ernst & Young, who wanted to be known as Darrel, was the top hacker in Mindef's Bug Bounty Programme.
A cyber-security manager at Ernst & Young, who wanted to be known as Darrel, was the top hacker in Mindef's Bug Bounty Programme.ST PHOTO: JONATHAN CHOO

SINGAPORE - Hackers invited to penetrate the Defence Ministry's systems earlier this year have found 35 valid bugs, including two classified as "high" severity and which have since been fixed.

Of the 264 participating hackers, the top hacker was a Singaporean cyber security manager at Ernst & Young who took home about one-third of the total bounty paid out.

The total payout for the programme, which took place from Jan 15 to Feb 4 this year, was US$14,750 (S$19,480).

If exploited, the high-severity bugs, found on the NS Portal, could have resulted in certain users being greeted with a defaced webpage, or the names of servicemen might have been compromised.

Of the other valid bugs, the severity of 10 was considered "medium" and 23 was "low". None was classified as "critical".

All of them have been mitigated, though not all have been remedied. This means the flaws could no longer be exploited, but a proper fix would take a longer time as patches need to be developed and tested before they can be applied.

The results of the first Mindef Bug Bounty Programme were announced by the ministry's defence cyber chief David Koh on Wednesday (Feb 21).

On the number of bugs found, Mr Koh, who is also deputy secretary for special projects, said: "In my view, it is in the Goldilocks zone - not too big, not too small."

He added: "If it was too small, the success of the programme would be called into question, because one could argue that not enough people took part, they weren't good enough, and the systems weren't tested robustly.

"If the number was too big, it calls into question our professionalism to begin with."

The top hacker, a 30-year-old who wanted to be known only as Darrel, reported nine valid and unique vulnerabilities, receiving a total bounty of US$5,000.

He spent about two hours a day during the three weeks hunting for vulnerabilities and submitted a total of 16 reports.

Asked how secure Mindef's systems were, he said: "In general, they are quite secure.

"They could ward off amateur hackers who are just running scanners, automated scans or tools against the website. They have a pretty sensitive firewall that blocks off intrusive attempts aggressively."

Deputy chief executive (development) at the Cyber Security Agency of Singapore, Mr Teo Chin Hock, said in a statement there were many learning points from the ministry's programme, and that companies and organisations which are attractive targets for hackers should consider it.

United States-based bug bounty company HackerOne was engaged to manage the programme.

The total payout of US$14,750 was given to 17 hackers. Their rewards ranged from US$250 to US$2,000.

The first report was submitted 83 minutes after the programme's launch. The ministry responded in five hours on average to the hackers' reports.

Hackers based in Singapore totalled 100 while 164 were from HackerOne's network of about 175,000 international hackers, including 57 of the top 100 ranked hackers in HackerOne's network.

They tested eight of the ministry's Internet-facing systems, such as the Mindef website and LearNet 2 Portal, a learning resource portal for trainees.

The discovery of the bugs does not mean "we have 100 per cent security", said Mr Koh.

"Even if it was 100 per cent on the day the programme ended, something new may come up. It's just more secure than when we started."