'Hackers' to test 12 systems in third Government Bug Bounty Programme

GovTech said that the 12 systems to be tested include the Health Promotion Board's HealthHub app and the Land Transport Authority's website and MyTransport.Sg app. PHOTO: LIANHE ZAOBAO

SINGAPORE - Ethical hackers will look for online vulnerabilities or "bugs" in 12 internet-facing government systems in the third edition of a bug bounty programme, which will take place from Nov 18 to Dec 8, said the Government Technology Agency (GovTech).

In a statement on Monday (Nov 11), GovTech said that in this third Government Bug Bounty Programme (BBP), which it will be conducting together with the Cyber Security Agency of Singapore (CSA), a new special bonus of US$500 (S$680) will be awarded to participants to find bugs in mobile applications.

It was decided that the bonus be awarded due to the increased complexities involved in the process of finding bugs in mobile apps, said GovTech.

This bonus will be in addition to the typical rewards given out for the programme which range from US$250 to US$10,000, depending on the severity of the discovered vulnerability.

GovTech said that the 12 systems to be tested include the Ministry of Home Affairs' eFocus and iWitness web services, the Health Promotion Board's HealthHub app, the Land Transport Authority's website and MyTransport.Sgapp, as well as the myTax Portal from the Inland Revenue Authority of Singapore.

The other six are the Accounting and Corporate Regulatory Authority's ACRA On The Go app and Bizfile web service, the National Environment Agency's myENV app, the OneService app from the Ministry of National Development, and the SingStat website and SingStat app.

Similar to the first two Government BBPs, only ethical hackers who have registered with the appointed bug bounty company, HackerOne, will be allowed to participate.

Hackers from both Singapore as well as overseas can participate.

Almost 700 white hat hackers registered and took part in the previous two BBPs.

GovTech said any vulnerabilities discovered in this BBP will be reported to the relevant organisations for remediation, and that it will share the key findings by February next year.

The first two Government BBPs covered 14 government systems, with a total bounty of close to US$38,000 paid out.

Last month, the Government announced that in addition to the BBPs it conducts, it also now has a complementary programme to invite members of the public to look for bugs in its systems too.

The Vulnerability Disclosure Programme (VDP) allows members of the public to identify and report any bugs they find in government Web-based and mobile applications.

GovTech will then work to validate and rectify the vulnerabilities found. There will be no bounty award for bugs found under the VDP.

Individuals who find such bugs can use a vulnerability disclosure link that has been incorporated into all government sites and mobile applications.

They can also e-mail details of the suspected bugs to GovTech.

GovTech warned that the programme does not authorise illegal actions.

Remote video URL

Attempts to exploit or test suspected bugs, such as gaining unauthorised access to any computer program or data, are also not allowed.

"These collaborations with the cyber security community-at-large have helped the Government discover vulnerabilities that would otherwise be undetected, and strengthen the security posture of our Information and Communications Technology systems and digital services," said GovTech.

Join ST's Telegram channel and get the latest breaking news delivered to you.