2nd Singapore Govt bug bounty programme

SINGAPORE: A total of 26 vulnerabilities were detected in five highly used Internet-facing government systems and websites, according to a joint press release by the Government Technology Agency (GovTech) and Cyber Security Agency of Singapore (CSA) on Monday (Mar 4).

The findings of the Singapore Government's second bug bounty programme were announced by Senior Minister of State for Communications and Information Janil Puthucheary during his ministry's Committee of Supply debate on the same day.

About 400 ethical, or white hat, hackers signed up to find holes in the REACH website, Gov.sg website, Ministry for Communications and Information's Press Accreditation Card online, the Ministry of Foreign Affairs website and MFA's eRegister portal.

The programme ran from Dec 27 last year to Jan 16 this year, the press release said.

Of the 26 validated vulnerabilities, one was considered “high severity” and 18 were medium severity. The remaining were considered low vulnerability, the agencies said, adding all of these have been fixed.

The total bounty paid out was US$11,750, the press release said, which was lower than the US$14,750 doled out in the first one conducted for the Ministry of Defence.

“This process raised our cybersecurity standards,” Dr Puthucheary said.

“We gained insights into potential attack vectors, better secured our Web applications and improved our mechanisms for patching vulnerabilities effectively and comprehensively.”

GovTech and CSA said they will expand the next edition of the Government bug bounty programme to include more Government ICT systems and websites.