GovTech offers ethical hackers up to $202k for detecting bugs
Those who find and report security bugs in govt systems will be rewarded
Ethical hackers who discover and report security vulnerabilities in critical government systems such as Singpass will be offered up to US$150,000 (S$202,000) in cash rewards under a new programme launched by the Government Technology Agency (GovTech).
The agency yesterday announced the Vulnerability Rewards Programme (VRP) to crowdsource cyber-security expertise from the global ethical or "white hat" hacker community.
Bugs found will be reported to the respective agency for remediation.
The rewards range from US$250 to US$5,000, depending on the severity of the vulnerabilities discovered. A special bounty of up to US$150,000 will be awarded for the discovery of vulnerabilities that could cause "exceptional" impact on selected systems and data.
Details on what constitutes an exceptional impact will be made clear to registered participants.
"The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft," GovTech said in a statement. "This signals the Singapore Government's commitment to secure critical infocomm technology (ICT) systems and sensitive personal data."
The programme will run continuously and cover three systems: Singpass and Corppass; member e-services under the Ministry of Manpower (MOM) and Central Provident Fund; and the MOM's Work Pass Integrated System. Other critical ICT systems will be progressively added to the programme.
These critical systems provide essential digital government services, so only white hat hackers who are vetted and meet strict criteria, or who are specifically invited, will be allowed to participate, GovTech said.
Background checks will be conducted by HackerOne, a bug bounty platform and community of cyber-security experts and white hat hackers.
Registered participants will conduct security testing through a designated virtual private network (VPN) provided by HackerOne.
This is to ensure that the security testing activities are within the permitted rules of engagement, GovTech said.
Participants who breach the rules may have their VPN access revoked to minimise potential disruptions to the integrity of the government systems.
HackerOne's website lists bug bounty programmes for government agencies, such as the United States Department of Defence, major telecommunications operators such as AT&T, payment solutions providers such as PayPal, and tech giants such as Twitter.
GovTech said the VRP will augment its existing Government Bug Bounty Programme, which was launched in 2018, and its Vulnerability Disclosure Programme, launched in 2019.
Ms Lim Bee Kwan, GovTech's assistant chief executive for governance and cyber security, said: "Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities.
"The Vulnerability Rewards Programme will allow the Government to further tap the global pool of cyber-security talent to put our critical systems to the test, keeping citizens' data secured to build a safe and secure Smart Nation."