Ethical hackers who discover and report vulnerabilities in critical government systems like Singpass are being paid up to $ 150,000 ($ 202,000) in cash under a new Government Technology Agency (GovTech) program.
The agency yesterday announced the Vulnerability Rewards Program (VRP) to gather cybersecurity expertise from the global ethical or “white hat” hacker community.
Any errors found are reported to the respective authorities for rectification.
The rewards range from $ 250 to $ 5,000, depending on the severity of the vulnerabilities discovered. A special grant of up to US $ 150,000 is granted for the discovery of vulnerabilities that could have “extraordinary” effects on selected systems and data.
Registered participants will be given details of the extraordinary effects.
“The special bounty is being compared to crowdsourcing vulnerability programs run by global technology companies like Google and Microsoft,” GovTech said in a statement. “This signals the Singapore government’s commitment to protecting critical Infocomm Technology (ICT) systems and sensitive personal information.”
The program is continuous and covers three systems: Singpass and Corppass; E-services for members of the Department of Labor (MOM) and the Central Provident Fund; and MOM’s integrated work pass system. Other important ICT systems will gradually be added to the program.
These critical systems provide essential digital government services, so only white hat hackers who have been vetted and meet strict criteria or who have been specifically invited are allowed to participate, GovTech said.
Background checks are carried out by HackerOne, a bug bounty platform and community of cyber security experts and white hat hackers.
Registered participants conduct security tests over a virtual private network (VPN) provided by HackerOne.
This is to ensure that the safety testing activities are within allowable rules of engagement, GovTech said.
Participants who break the rules can have their VPN access removed to minimize potential disruptions to the integrity of government systems.
HackerOne’s website lists bug bounty programs for government agencies like the US Department of Defense, major telecommunications providers like AT&T, payment solution providers like PayPal, and technology giants like Twitter.
GovTech said the VRP will complement its existing Government Bug Bounty program, which started in 2018, and its VRP vulnerability disclosure program, which started in 2019.
Lim Bee Kwan, GovTech’s Assistant Chief Executive for Governance and Cybersecurity, said, “Since launching our first crowdsourced vulnerability detection program in 2018, we’ve worked with over 1,000 highly skilled white hat hackers to resolve approximately 500 valid vulnerabilities to discover.
“The Vulnerability Rewards Program will enable the government to continue leveraging the global cybersecurity talent pool to test our critical systems and protect citizens’ data to build a safe and secure smart nation.”