The Singapore government is planning another bug bounty programme to identify potential security holes across nine of its online digital services as well as ICT systems that facilitate high user interaction. Depending on the severity of bug identified, between US$250 and US$10,000 will be paid out for each unique, validated security vulnerability report.
Led by Singapore Government Technology Agency (GovTech) and Cyber Security Agency, the bounty programme was scheduled to run from July to August 2019, according to HackerOne. This is the third bug-hunting exercise the bounty platform will be running for the Singapore government, following to others involving GovTech and the Ministry of Defence (Mindef).
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a “value-add service”, and it’s time the Singapore government holds those that fail to do so accountable.
Some 200 international hackers and 100 local hackers would be invited to participate in the latest bug hunt, with participants invited based on their previous performance metrics on HackerOne’s platform. Results were slated to be unveiled in September 2019.
GovTech’s previous bug bounty programme had involved 400 local and international hackers, who collectively identified 26 vulnerabilities and earned almost US$12,000 for their effort. Mindef’s HackerOne programme in early-2018 led to the discovery of 35 vulnerabilities
HackerOne’s director of programme management Paul Griffin said: “Tapping the skilled and global hacker community is the most efficient way to approach security testing. The latest bug bounty program continues to signal momentum in the constant battle against malicious actors on the internet.”
Singapore’s public sector has been the target of cybercriminals in recent years that, amongst others, compromised the personal data of 1.5 million SingHealth patients and 850 national servicemen and employees. Security lapses also affected 14,200 individuals with HIV and 808,201 blood donors, exposing their personal information.
CSA last month released a report that revealed a a drop in the number of common cyber threats last year, but projected more frequent data breaches and disruptive attacks against the cloud in the near future. It noted that there were 605 instances of website defacements last year compared to 2,040 in 2017, with most of the affected websites owned by small and midsize businesses (SMBs).
Expected to be included as part of the upcoming amendment to the country’s data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.
Country’s defence ministry plans to hire 300 specialists trained in areas such as network monitoring and vulnerability assessment to better safeguard its systems and has opened a school to arm future recruits with cyberdefence skillsets.
Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.
Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.
Cloud storage vendor forks out US$319,300 in a one-day bug bounty programme that galvanised 45 HackerOne members in Singapore, where two hackers discussed their strategy and offered advice for businesses to better secure their systems.