Skip links

Singapore adds a third bug bounty program – this time to fortify government digital services

Singapore’s governmental digital services arm, GovTech, has launched a “rewards programme” to further crowdsource tests of the nation’s cybersecurity.

The Vulnerability Rewards Programme (VRP) joins the Government Bug Bounty Programme (GBBP) and the Vulnerability Disclosure Programme (VDP), all of which work alongside the government’s own security checks.

“The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the Government,” proclaimed GovTech in a blog post.

The VRP is designed for continuous testing of a selection of Singapore’s essential digital economy services. Initially this includes its individual and business online account management services, Singpass and Corppass, member e-services for its obligatory pension, healthcare and savings plan services, plus a segment of the services that power issuance of work permits for foreign persons. GovTech said it will progressively add more ICT systems to the programme.

While the VDP is open to anyone from the public, the GBBP and VRP are only available to ethical hackers approved by HackerOne due to the higher value systems involved. Approved participants will get be offered VPN access by HackerOne, to help them conduct security while being monitored by the powers that be. Those who go too far may see access revoked.

Singapore is a country famous for enforcing rules – earning it the not-entirely-ironic nickname “The Fine City” because it levies so many penalties on rule-breakers. That regime should prevent abuse of the VRP.

Participants in the programme stand to earn between $250 and $5000, depending on the vulnerability severity. A critical vulnerability with potentially massive impact can earn a special bounty of $150,000.

GovTech exec Ms Lim Bee Kwan said:

Singapore wants to protect its Smart Nation endeavor at a time when cyberattacks are soaring. In 2020, cybercrime accounted for 43 per cent of all crime in Singapore and attacks on governments in general are viewed as a dark and imminent threat.

A post yesterday from Singapore’s Smart Nation Sensor Platform described the critical interconnectivity of the island nation’s systems by comparing it to the sport of synchronized swimming. For Singapore to realize its vision of becoming a pioneering Smart Nation that avoids disruptive incidents, it will need to protect each individual system from interference to a degree other nations struggle to achieve.

Fortifying the island city-state’s infrastructure in this manner is hardly surprising as both bug bounties and crowdsourcing have become standard operation. This June, Singapore turned to crowdsourcing for its central bank digital currency strategies.

HackerOne has experience partnering with governments, most recently announcing a month-long hacker security test in partnership with the UK government. ®