Story image

Singapore MINDEF's Bug Bounty Challenge nets 32 vulnerabilities in three weeks

22 Feb 2018

The Singapore Ministry of Defence (MINDEF) handed out more than US$14,000 in bounties to 17 hackers who participated in the first MINDEF Bug Bounty Challenge, which concluded earlier this month.

264 ethical hackers from across the globe participated in the challenge, which enabled MINDEF to resolve 35 vulnerabilities in just three weeks.

“The global representation of hackers in the MINDEF Bug Bounty Challenge shows the overwhelming appetite from the hacker community to help governments operate more securely,” comments HackerOne cofounder and CTO Alex Rice.

Hackers were asked to penetrate three defence systems including the Ministry’s public website, NS Portal and Defence Mail.

The 35 vulnerability reports comprised 23 low, 10 medium, two high and zero critical severity vulnerabilities. No participant found any critical vulnerabilities and for the ones discovered, The Defence Ministry responded within five hours, on average.

The Ministry awarded a total of $14,750 in bounties to 17 hackers. The highest reward was $2000 to a researcher known as Shivadagger.

“Due to the fast-changing cybersecurity landscape, no agency can single handedly keep up with the identification and plugging of security gaps by itself. Inviting white hat hackers to test our systems allowed MINDEF to find previously unidentified vulnerabilities quickly, and effectively strengthen the security of our defence systems,” says MINDEF’s defence cyber chief and deputy director of special projects, David Koh.

“The success of the program helped us boost our cybersecurity in a matter of weeks,” Koh continues.

He believes the program allowed MINDEF to leverage a global talent pool of hackers to create more secure systems.

The MINDEF Bug Bounty Challenge was the first crowdsourced security initiative run by the Ministry. It claims the program is also the first of its kind by a government agency in Asia.

“The Singapore Ministry of Defence must be applauded for being one of first few government agencies, and the first in Asia, to embrace such a forward-thinking approach to security. MINDEF’s program signals further momentum for government agency collaboration with the hacker community,” Rice adds.

Bug Bounty participants hailed from Singapore, India, Pakistan, the US, Romania, Canada, Russia, Sweden, Ireland and Egypt.

The United States Department of Defense, US General Service Administration and the European Commission have also called on ethical hackers to spot vulnerabilities.

Enterprises such as Google Play, Nintendo, Qualcomm, GitHub, the CERT Solution Center and Starbucks have also conducted their own bug bounties.

According to HackerOne, its customers have resolved more than 63,000 vulnerabilities and awarded over $25M in bug bounties. More than 1000 organisations have used HackerOne services to discover critical software vulnerabilities.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.