Hackers to test 12 govt systems in bug bounty programme

Ethical hackers will look for online vulnerabilities or "bugs" in 12 Internet-facing government systems in the third edition of a bug bounty programme, which began yesterday and will go on until Dec 8, said the Government Technology Agency (GovTech).

In this third Government Bug Bounty Programme (BBP), a new special bonus of US$500 (S$680) will be awarded to participants who find bugs in mobile applications, GovTech said in a recent statement.

It was decided that the bonus be awarded due to increased complexities involved in the process of finding bugs in mobile apps, said GovTech, which is conducting the BBP together with the Cyber Security Agency of Singapore.

This bonus will be in addition to the typical rewards given out for the programme that range from US$250 to US$10,000, depending on the severity of the discovered vulnerability.

GovTech said the 12 systems to be tested include the Ministry of Home Affairs' eFocus and iWitness Web services, the Health Promotion Board's HealthHub app, the Land Transport Authority's website and MyTransport.Sg app, as well as myTax Portal of the Inland Revenue Authority of Singapore.

The other six are the Accounting and Corporate Regulatory Authority's ACRA On The Go app and Bizfile Web service, the National Environment Agency's myENV app, the OneService app from the Ministry of National Development, and the SingStat website and SingStat app.

Similar to the first two BBPs, only ethical hackers who have registered with the appointed bug bounty company, HackerOne, can participate. Hackers from both Singapore as well as overseas can take part. Almost 700 "white hat" hackers registered and took part in the previous two BBPs.

GovTech said any vulnerabilities discovered in this BBP will be reported to the relevant organisations for remediation. It will share the key findings by next February. The first two BBPs covered 14 government systems, with a total bounty of close to US$38,000 paid out.

Last month, the Government announced that it now also has a complementary programme to invite the public to look for bugs in its systems. The Vulnerability Disclosure Programme (VDP) allows members of the public to identify and report any bugs they find in government Web-based and mobile apps.

GovTech will then work to validate and rectify the vulnerabilities. There will be no bounty award for bugs found under the VDP. "These collaborations... have helped the Government discover vulnerabilities that would otherwise be undetected, and strengthen the security posture of our information and communications technology systems and digital services," said GovTech.

A version of this article appeared in the print edition of The Straits Times on November 19, 2019, with the headline 'Hackers to test 12 govt systems in bug bounty programme'. Print Edition | Subscribe