31 vulnerabilities remediated in second Government Bug Bounty Programme

01 Oct 2019

GovTech launches Vulnerability Disclosure Programme to further strengthen ecosystem collaboration

The Government Technology Agency (GovTech) and Cyber Security Agency of Singapore (CSA) have successfully concluded the second Government Bug Bounty Programme (BBP). This second BBP was conducted from 8 to 28 July 2019. Its findings were released at the sidelines of the Singapore International Cyber Week 2019.  

The BBP is part of the Government’s ongoing efforts to build a secure and resilient Smart Nation. It complements the conventional methods of vulnerability assessment and penetration testing, enabling the government to benchmark its defences against the global and local community of researchers and white hats. The inaugural BBP was conducted from 27 December 2018 to 16 January 2019.

The second edition of BBP covered nine Internet-facing government ICT systems and digital services with high user touchpoints: SingPass and MyInfo (GovTech); OneMap website and mobile (Singapore Land Authority); MASNET and MAS corporate website (Monetary Authority of Singapore); Parents Gateway (Ministry of Education); and SGWorkPass mobile and Check Work Pass Status e-Service (Ministry of Manpower). 

Key highlights of the second Government BBP
  • Of the 31 validated vulnerabilities, four were considered “high severity” and the remaining 27 were “medium/low severity”.  All vulnerabilities have been remediated.
  • 290 local and overseas cybersecurity researchers and white hats participated.
  • 70 participants were Singaporeans, of which 30 participated in the first Government BBP.
  • Total bounty paid out was US$25,950.
  • Seven out of the top 10 awarded bounty participants were Singaporeans.
  • The top white hat hacker is a Singaporean (24-year-old NSF with the moniker of “spaceraccoon”). He found nine vulnerabilities, and was awarded US$8,500 in bounty.
As the two BBPs have succeeded in helping us discover vulnerabilities that would otherwise be undetected, the Government will conduct the third BBP in November 2019 to cover more government ICT systems and digital services. We hope to continue this effective engagement of the cybersecurity community and industry to strengthen the security posture of our ICT systems and digital services.

Launch of Vulnerability Disclosure Programme 
The BBP is time bound and limited to a fixed set of systems and services. To complement this, GovTech has also launched a Vulnerability Disclosure Programme (VDP) on 1 October 2019. The VDP invites members of the public to identify and report the discovery of vulnerabilities found in all government internet-facing web-based and mobile applications. More information on VDP can be found in the attached factsheet.


About Government Technology Agency
The Government Technology Agency of Singapore (GovTech) is the lead agency driving Singapore’s Smart Nation initiative and public sector digital transformation. As the Centre of Excellence for Infocomm Technology and Smart Systems (ICT & SS), GovTech develops the Singapore Government’s capabilities in Data Science & Artificial Intelligence, Application Development, Sensors & IoT, Digital Infrastructure, and Cybersecurity.  

GovTech supports public agencies to manage enterprise IT operations and develop new digital products for citizens and businesses. GovTech is the public sector lead for cybersecurity, and oversees key government ICT infrastructure, as well as regulates ICT procurement, data protection and security in the public sector. GovTech is a Statutory Board under the Smart Nation and Digital Government Group (SNDGG) in the Prime Minister’s Office. 

For more information, please visit www.tech.gov.sg.

About the Cyber Security Agency of Singapore
The Cyber Security Agency of Singapore (CSA) provides dedicated and centralised oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s critical services. It also engages with various industries, and stakeholders to heighten cybersecurity awareness as well as to ensure the holistic development of Singapore’s cyber security landscape. The Agency is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. 

For more information, please visit www.csa.gov.sg.