Government fixes 31 vulnerabilities found by 'white hat' hackers; scheme for public to report more bugs launched

GovTech and CSA, which both organised the programme, said that out of the 31 bugs found, four were classified as "high" severity and the remaining 27 were of "medium/low" severity. PHOTO: REUTERS

SINGAPORE - The Government has rectified 31 vulnerabilities in its systems found by ethical or "white hat" hackers who had been invited to look for bugs, and it has launched a new complementary programme to invite members of the public to do so too.

The 31 vulnerabilities were found in nine systems tested as part of the second Government Bug Bounty Programme (BBP), whose results were released on Tuesday (Oct 1).

The organisers of the programme - the Government Technology Agency (GovTech) and Cyber Security Agency (CSA) - said that out of the 31 bugs found, four were classified as "high" severity and the remaining 27 were of "medium/low" severity.

The agencies said the total payout for the programme, which took place from July 8 to 28, was US$25,950 (S$35,870).

Of the 290 hackers who took part in this edition of the BBP, 70 were local.

Seven out of the top 10 hackers were Singaporean, including a 24-year-old full-time national serviceman who found nine vulnerabilities and was awarded US$8,500.

The systems that were tested in this BBP include the Parents Gateway app by the Ministry of Education, the Check Work Pass Status e-service by the Ministry of Manpower and SingPass, the national system used to access key government services.

The two agencies said the Government will be conducting another BBP in November to include more government systems. It was first held from December last year to January and found 26 vulnerabilities then.

To participate in this programme, these ethical hackers had to be registered with GovTech's appointed bug bounty company, United States-based HackerOne.

As part of the contract requirements, the participants' credentials were vetted and verified by HackerOne before they were allowed to take part in the BBP.

Hackers chosen for the BBP also had to sign an agreement not to share the vulnerabilities they found.

To complement the efforts from the BBP, GovTech on Tuesday launched the Vulnerability Disclosure Programme (VDP) to allow members of the public to identify and report any bugs they find in government Internet-facing Web-based and mobile applications.

GovTech will then work to validate and rectify the vulnerability found. There will be no bounty award for bugs found under the VDP.

Remote video URL

Individuals who find such bugs can use a vulnerability disclosure link that has been incorporated into all government sites and mobile applications.

They can also e-mail GovTech with details of the suspected bug.

GovTech warned that the programme does not authorise illegal actions. Attempts to exploit or test suspected bugs, like gaining unauthorised access to any computer program or data, are not allowed too.

At the opening of the Singapore International Cyber Week on Tuesday at the Suntec Convention and Exhibition Centre, Senior Minister Teo Chee Hean said the VDP is intended to provide a channel for anyone, be it white hat hackers, cyber-security researchers or members of the public, to report any bugs they find.

Said Mr Teo, who is also Coordinating Minister for National Security: "Through this programme, we hope to send the signal that we have a shared responsibility, together with cyber defenders locally and internationally, to make our cyberspace safer and more resilient."

It was also announced at the Singapore International Cyber Week that a new committee has been formed to design a new roadmap for cyber security standards that will raise the quality of online security products and services here.

This 17-member Coordinating Committee for Cybersecurity comprises government officials, private industry professionals and academics. Formed by CSA and Enterprise Singapore, it will be parked under the Singapore Standards Council.

The coordinating committee will be publishing the new roadmap, called the Cybersecurity Standards Roadmap, next year.

Join ST's Telegram channel and get the latest breaking news delivered to you.