Singapore’s Government Technology Agency (GovTech) has launched a new vulnerability disclosure program on HackerOne so researchers can disclose vulnerabilities in government sites.
Started by Singapore’s GovTech, this program allows researchers to examine internet-accessible government sites and applications for vulnerabilities and disclose them to the agency.
“As part of the Government Technology Agency’s (“GovTech”) ongoing efforts to ensure the cyber-security of Government internet-accessible applications used by the citizens, business and public sector employees, GovTech has established this suspected vulnerability disclosure programme (“VDP”) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes which may potentially affect Government internet-accessible applications. We look forward to working with the cyber-security research community and members of the public to keep our services safe for all users.”
Rresearchers who want to participate in the Singapore vulnerability disclosure program can target the following services for vulnerability research:
- Government internet-accessible applications for use by the public including Government internet-accessible applications, that are owned by any department or ministry of the Government, any Organ of State or any statutory board. Examples of such Government digital services are “gov.sg” and “ns.sg”, and examples of such mobile applications are “SingPass Mobile” and “SGSecure”.
- Government internet-accessible applications for use by Government employees only, that are provided by any department or ministry of the Government, any Organ of State, or any statutory board. Examples of such web-based and mobile applications are “pacgov.agd.gov.sg”, and “DWP Mobile”.
Unlike many popular bounty programs on HackerOne, researchers will not be rewarded with cash bounties for disclosing vulnerabilities. This decision may lead researchers to stay away from this program compared to using others that they can earn a living.
Singapore bug bounty challenge started over the weekend
Unlike the new vulnerability disclosure programs, HackerOne launched a bug bounty challenge for Singapore’s Ministry of Defense over the weekend that does offer cash rewards for discovered vulnerabilities.
This challenge started on July 28th 2019 and will go through October 21st, 2019.
“The three-week challenge will run from September 30, 2019 to October 21, 2019, and will bring together trusted hackers from around the world to test 11 government-owned targets, including websites and public digital systems belonging to MINDEF/Singapore Armed Forces (SAF) and other agencies in the defense sector. Hackers will search these systems for security weaknesses so they can be safely resolved and therefore, enhance the safety and security of these systems. This year’s bug bounty challenge also has an added focus on personal data protection.”
This challenge is only open to invited trusted researchers who will attempt to find bugs in eleven government-owned targets.