Up to US$150,000 for hackers who report cyber weaknesses under new GovTech programme

Registered participants will conduct security testing through a designated virtual private network.
Registered participants will conduct security testing through a designated virtual private network.ST PHOTO: KELVIN CHNG

SINGAPORE - Ethical hackers who discover and report security vulnerabilities in critical government systems such as Singpass will be offered up to US$150,000 ($202,000) in cash rewards under a new programme launched by the Government Technology Agency (GovTech).

The agency on Tuesday (Aug 31) announced the Vulnerability Rewards Programme (VRP) to crowdsource cyber-security expertise from the global ethical or "white hat" hacker community. Bugs found will be reported to the respective agency for remediation.

The rewards range from US$250 to US$5,000, depending on the severity of the vulnerabilities discovered. A special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause "exceptional" impact on selected systems and data.

Details on what constitutes an exceptional impact will be made clear to registered participants.

"The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft," GovTech said in a statement.

"This signals the Singapore Government's commitment to secure critical infocomm technology (ICT) systems and sensitive personal data."

The programme will run continuously and cover three systems: Singpass and Corppass; member e-services under the Ministry of Manpower (MOM) and Central Provident Fund; and the MOM's Work Pass Integrated System. Other critical ICT systems will be progressively added to the programme.

These critical systems provide essential digital government services, so only white hat hackers who are vetted and meet strict criteria, or who are specifically invited, will be allowed to participate, GovTech said. Background checks will be conducted by HackerOne, a bug bounty platform and community of cyber-security experts and white hat hackers.

Registered participants will conduct security testing through a designated virtual private network (VPN) provided by HackerOne.

This is to ensure that the security testing activities are within the permitted rules of engagement, GovTech said. Participants who breach the rules may have their VPN access revoked to minimise potential disruptions to the integrity of the government systems.

The new programme is part of a growing trend of companies and governments offering rewards to white hat hackers for finding and reporting bugs.

HackerOne's website lists bug bounty programmes for government agencies such as the United States Department of Defence, major telecommunications operators such as AT&T, payment solutions providers such as PayPal, and tech giants like Twitter.

GovTech said the new VRP will augment its existing Government Bug Bounty Programme (GBBP), which was launched in 2018, and its Vulnerability Disclosure Programme (VDP), which was launched in 2019.

The GBBP also offers monetary rewards, but it runs seasonally and is open only to invited hackers.

The VDP runs continuously and any member of the public can report vulnerabilities found in any of the Government's Web- or mobile-based applications, but it offers only HackerOne reputation points as a reward.

Ms Lim Bee Kwan, GovTech's assistant chief executive for governance and cyber security, said: "Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities.

"The new Vulnerability Rewards Programme will allow the Government to further tap the global pool of cyber-security talents to put our critical systems to the test, keeping citizens' data secured to build a safe and secure Smart Nation."