Government Technology Agency (GovTech) and Cyber Security Agency of Singapore (CSA) said in a joint news release on Monday that a total of 26 vulnerabilities were detected in fi five highly used Internet-facing government systems and websites.
Senior Minister of State for Communications and Information, Janil Puthucheary announced the finding of the Singapore Government's second bug bounty programme during his ministry's Committee of Supply debate in parliament.
About 400 "white hat" hackers, or ethical hackers, were invited to find holes in the REACH website, Gov.sg website, Ministry for Communications and Information's Press Accreditation Card online, the Ministry of Foreign Affairs website and MFA's eRegister portal. This program started from December 27, 2018, and ended on January 16, 2019.
However, among 26 bugs, only one was considered "high severity" and 18 were medium severity. Rest of them were classified as a low vulnerability. Puthucheary told Parliament on Monday that after fixing them, the government has decided to expand the program to include more Government ICT systems and websites.
As per the news release, a total bounty paid out was US$11,750, which was lower than US$14,750, given during the first one conducted for the Ministry of Defence.
While explaining the program objectives, Puthucheary said that this process "raised our cybersecurity standards. "We gained insights into potential attack vectors, better secured our Web applications and improved our mechanisms for patching vulnerabilities effectively and comprehensively."
It was also revealed that a quarter for the 400 participants were local residents and seven out of top 10 hackers were Singaporeans. All the participants had to sign an agreement not to share the vulnerabilities they found.
It should be noted that to become the ethical hackers the participants had to be registered with GovTech's appointed bug bounty company, US-based HackerOne, who vetted and verified the credentials of the hackers before they were allowed to take part in the program.
Singapore's Samuel Eng and Teo Wei Sheng are two out of seven local participants who had emerged among the top 10. While Samuel came in second in the overall list, as he found four validated vulnerabilities and took home US$1,750 in bounty money, the 22-year-old Teo found two vulnerabilities and received US$500 for each of them.