NSF is top hacker in Mindef's programme that gives cash for discovering software bugs

3SG Eugene Lim, a self-taught hacker with a background in Web development, spent about 10 hours a week hunting down the software bugs.
3SG Eugene Lim, a self-taught hacker with a background in Web development, spent about 10 hours a week hunting down the software bugs.ST PHOTO: DESMOND FOO

SINGAPORE - In the first hour of a Ministry of Defence (Mindef) programme to hunt for computer software bugs, Third Sergeant Eugene Lim discovered one.

The 24-year-old graduate of Yale University went on to find seven other unique vulnerabilities in the following three weeks, to emerge the top hacker in a government bug bounty programme for the second time this year.

Mindef's programme, which began on Sept 30, invited selected white-hat hackers to break into Internet-facing systems and websites that belong to it, the Singapore Armed Forces (SAF) and other defence agencies. They then report the vulnerabilities in exchange for a cash bounty.

3SG Lim, a self-taught hacker with a background in Web development, spent about 10 hours a week - mostly on weekends - hunting down the bugs.

With more protection mechanisms nowadays, the full-time national serviceman said a hacker needs to be creative to think of bypasses.

"If they put a lock on the front door, you've got to find a window, an unlocked back door, to get yourself into the house... If you just think of the most obvious way, then the defender has already thought of it to protect against you."

"But you must also be meticulous, because even the smallest crack can allow an attacker to come in," he added.

Mindef announced the results of its second bug bounty programme on Friday (Nov 1).

The hackers receive bounties ranging from US$150 to US$10,000 in cash, depending on the severity of the discovered vulnerabilities.

 
 

The hunt drew 305 white-hat hackers: 134 local and 171 international. White-hat hackers use their skills to improve security by exposing vulnerabilities before malicious hackers can detect and exploit them.

Of the 52 bug reports submitted, 20 were deemed valid, resulting in a total bounty payout of US$16,000 (S$21,730).

The programme tested 11 major Internet-facing systems and websites, with an added focus on personal data protection.

The first Mindef bug bounty programme, held last year, involved 264 white hat hackers. A total of 35 bugs were uncovered and a bounty of US$14,750 was paid out.

On Friday, awards were given to the top-performing local white-hat hackers at an event held at Funan mall. 3SG Lim took home the Top Bug Hunter and First Reported Bug awards.

He was also the top hacker in the second Government Bug Bounty Programme held from July to August earlier this year conducted by the Government Technology Agency and the Cyber Security Agency.

Speaking to reporters ahead of the event, 3SG Lim, who is the holder of a prestigious government scholarship, said he was motivated by the opportunity to help strengthen the Government's cyber defences.

"I have an interest in contributing to Singapore, and to be able to test government systems - that was interesting to me. (I was also motivated by) the opportunity to learn something new," he said.

 
 

Graduating with a double major in computer science and history, he will work as a civil servant when he completes his national service this year.

He is a registered white-hat hacker with the US-headquartered HackerOne, which Mindef's Defence Cyber Organisation had engaged to run the programme.

One of the reasons for his performance was his motivation, he said. "As an NSF, if I'm able to find bugs in a Mindef programme, that's a big motivation because it's relevant to me."

Defence Cyber Chief, Brigadier-General Mark Tan, said the programme was part of Mindef's continued commitment to work with industry and the cyber-security community to strengthen its defences against increasingly sophisticated attacks and safeguard personal data under its charge.

"We are glad to see the participation of so many international and local white-hat hackers, and hope that it will generate a vibrant cyber-security ecosystem in Singapore where citizens play an active role in helping to secure our national networks and systems," he added.