26 vulnerabilities detected from 2nd Singapore Govt bug bounty programme

SINGAPORE: A total of 26 vulnerabilities were detected in five highly used Internet-facing government systems and websites, according to a joint press release by the Government Technology Agency (GovTech) and Cyber Security Agency of Singapore (CSA) on Monday (Mar 4).

The findings of the Singapore Government’s second bug bounty programme were announced by Senior Minister of State for Communications and Information Janil Puthucheary during his ministry’s Committee of Supply debate on the same day.

About 400 ethical, or white hat, hackers signed up to find holes in the REACH website, Gov.sg website, Ministry for Communications and Information’s Press Accreditation Card online, the Ministry of Foreign Affairs website and MFA’s eRegister portal.

The programme ran from Dec 27 last year to Jan 16 this year, the press release said. 

Of the 26 validated vulnerabilities, one was considered “high severity” and 18 were medium severity. The remaining were considered low vulnerability, the agencies said, adding all of these have been fixed.

The total bounty paid out was US$11,750, the press release said, which was lower than the US$14,750 doled out in the first one conducted for the Ministry of Defence.

READ: Hacker awarded US$5,000 after finding 9 vulnerabilities in MINDEF systems

“This process raised our cybersecurity standards,” Dr Puthucheary said.

“We gained insights into potential attack vectors, better secured our Web applications and improved our mechanisms for patching vulnerabilities effectively and comprehensively.”

GovTech and CSA said they will expand the next edition of the Government bug bounty programme to include more Government ICT systems and websites.

PROFILE: LOCAL HACKER SAMUEL ENG

Of the 400 hackers who took part, Singaporean Samuel Eng came in second overall after finding four validated vulnerabilities and taking home US$1,750 in bounty money.

The 29-year-old told Channel NewsAsia in an email interview that he has a day job as a penetration tester and security consultant at ST Electronics (Info-Security). He had initially wanted to take part in the MINDEF bug bounty programme but had “other personal commitments” and could not participate.

This was why he was “thrilled” to be given a second chance to “try my hands on Government ICT systems” when the second programme was announced last year, he shared.

He added that his accomplishments showed that Singaporeans can compete globally with other top hackers in such programmes.

“I am very proud to see my name alongside many other famous names on the programme’s leaderboard.”

He did point out that determination is key for Singaporeans to compete internationally.

“It is common for even seasoned professionals to start off finding absolutely zero bugs for days, weeks and sometimes even months,” Mr Eng said. “More commonly, there are people who (give) up before even trying because of overcrowding in public programmes.”  

But how can Government systems be better secured against hackers of his ilk, or worse, those with malicious intent?

Mr Eng believed that the low number of vulnerabilities uncovered and their limited implications show that Government systems here are “pretty secure”.

“It is a great step for the Government to work with the local and overseas hacker communities, and I hope that penetration testing will go along with bug bounty programmes to further strengthen the security of important government IT systems,” he said.

Comments are closed.