Singapore’s Government Technology Agency (GovTech) has launched a new Vulnerability Rewards Programme (VRP) as part of its Government Bug Bounty Programme (GBBP) and Vulnerability Disclosure Programme (VDP). The government of Singapore will reward hackers with up to $5,000 through the bug bounty program. To participate, researchers will need to register and report vulnerabilities through HackerOne.
The program aims to test the infrastructure critical for the uninterrupted operations of essential services in Singapore’s digital economy.
What is a bug bounty?
For the uninitiated, hackers are of two kinds: white hat and black hat. While those donning the black hat intrude into systems to damage or hold them for ransom, white hat hackers find vulnerabilities to report them to the appropriate organization or institution.
Many companies, including big giants such as Google, Microsoft, Apple, all reward such white hat hackers with money. Such rewards are also known as a ‘bug bounty’. Although the Indian government doesn’t necessarily reward such hackers, they do accept vulnerability reports through CERT-In and NCIIPC.
Most recently, Poly Network offered a hacker a $500,000 bug bounty reward, for orchestrating the largest cryptocurrency heist to date.
Singapore’s Reward Program
The program offers monetary rewards ranging from $250 to $5,000, depending on the severity of the reported vulnerability. However, there’s a special reward of $150,000 if a hacker discovers a vulnerability that could cause “exceptional impact on selected systems and data”.
The program covers three systems as of now, Singpass and Corppass (GovTech), Member e-services (Ministry of Manpower), and Workpass Integrated System 2 (Ministry of Manpower). The government will add more critical systems in the future.
To participate in the program, hackers will need to register with Hackerone, which will carry out strict checks. Once the checks are done, participants will be able to carry out probing/ penetration testing using a VPN.
But why do we need hackers to lurk into critical infrastructure?
Large organizations use bug bounty programs to attract talent with cybersecurity skills to probe their information systems. Many cybersecurity professionals even take part in bug bounty programs as a side project. An official at GovTech said:
“Since the launch of our first crowdsourced vulnerability discovery programme in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities.”
Although governments appreciate hackers finding vulnerabilities in general, they also create programs where they allow a select few participants into an organization’s internal private network.