The stringent participation criteria and tiered bounties are set to complement those of the country’s other crowdsourced vulnerability bounty programs.

In an attempt to expand crowdsourced efforts to pinpoint cybersecurity weak points in critical public infrastructure, one government has launched what it calls a Vulnerability Rewards Program (VRP).

In addition to its existing Government Bug Bounty Program (GBBP) and Vulnerability Disclosure Program (VDP), Singapore’s Government Technology Agency (GovTech) has launched the VRP to augment safeguards of the country’s infocomm technology and smart systems.

In addition to routine penetration testing conducted within the government, the three crowdsourced vulnerability discovery programs offer a blend of continuous reporting and seasonal in-depth testing capabilities that tap the larger community.

While members of the public can report suspected vulnerabilities on all internet-facing systems through the VDP, the GBBP and VRP are only open to ‘white hat’ hackers (ethical hackers) for testing due to the higher-value systems involved. In particular, the seasonal GBBP focuses on selected systems in each iteration, whereas the new VRP aims to continuously test a wider range of critical ICT systems necessary for the continuous delivery of essential services in the digital economy.

Money for the bounty

The VRP offers monetary rewards ranging from US$250 to US$5,000 to white hat hackers, depending on the severity of the vulnerabilities discovered.

For the discovery of vulnerabilities that could cause an ‘exceptional’ impact on selected systems and data, a special bounty of up to US$150,000 may be awarded. The special bounty is benchmarked against crowdsourced vulnerability programs conducted by global technology firms such as Google and Microsoft.  

The program will first cover three systems: Singpass and Corppass (GovTech); Member e-Services (Ministry of Manpower – Central Provident Fund Board); and Workpass Integrated System 2 (Ministry of Manpower). More critical ICT systems will be progressively added to the program.

Only white hat hackers that have met the VRP’s strict criteria will be able to participate in accessing the critical digital government services for the program. Checks will be conducted by the appointed bug bounty company, HackerOne. Registered participants will conduct security testing through a designated virtual private network (VPN) gateway provided by HackerOne. This is to ensure that the security testing activities are within the permitted Rules of Engagement (ROE). If participants breach the ROE, their VPN access may be revoked to minimise potential disruptions to the integrity of the government systems.

According to GovTech’s Assistant Chief Executive for Governance and Cybersecurity, Ms Lim Bee Kwan:  “Since the launch of our first crowdsourced vulnerability discovery program in 2018, we have partnered with over 1,000 highly skilled white hat hackers to discover about 500 valid vulnerabilities.

According to Lim, the new VRP will allow the government to tap more of the global pool of cybersecurity talent to critical systems to the test, in order to safeguard citizens’ data.