Singapore’s GovTech launches Vulnerability Disclosure Programme

The Government Technology Agency (GovTech) of Singapore has launched a Vulnerability Disclosure Programme (VDP) on the HackerOne platform, inviting members of the public to identify and report the discovery of vulnerabilities found in all government internet-facing web-based and mobile applications.

The VDP will is the second initiative that GovTech has launched in partnership with hacker-powered penetration testing and bug bounty platform HackerOne.

The first partnership, done also in collaboration with the Cyber Security Agency, was the second Government Bug Bounty Programme, which saw 31 vulnerabilities discovered and remediated thanks to hackers.

Nearly 300 white hat hackers from around the world participated in the second Government BBP, helping to discover vulnerabilities in nine public government Information and Communication Technology (ICT) systems and digital services with high user touch points from July 8 to July 28, in exchange for monetary rewards also known as bounties.

For the 31 vulnerabilities discovered, US$25,950 were paid out in bounties for successful findings.

Of the vulnerabilities reported through the GBBP on HackerOne, four were considered “high severity” and the remaining 27 were “medium/low severity”.  

About a quarter of the hackers were Singaporeans, 30 of which had participated in the first GBBP, and seven out of the top 10 hackers who earned bounties were Singaporeans. The top hacker was “@spaceraccoon”, a 24-year old Singaporean who found nine vulnerabilities and was awarded US$8,500. 

The VDP is a part of the Singapore Government’s ongoing commitment to collaborate with the cybersecurity community to build a secure and resilient Smart Nation.

In addition to the VDP, GovTech will conduct a third government BBP in November 2019 to continue to strengthen and enhance the cybersecurity of government systems and applications.