Story image

Singapore MINDEF's Bug Bounty Challenge nets 32 vulnerabilities in three weeks

22 Feb 18

The Singapore Ministry of Defence (MINDEF) handed out more than US$14,000 in bounties to 17 hackers who participated in the first MINDEF Bug Bounty Challenge, which concluded earlier this month.

264 ethical hackers from across the globe participated in the challenge, which enabled MINDEF to resolve 35 vulnerabilities in just three weeks.

“The global representation of hackers in the MINDEF Bug Bounty Challenge shows the overwhelming appetite from the hacker community to help governments operate more securely,” comments HackerOne cofounder and CTO Alex Rice.

Hackers were asked to penetrate three defence systems including the Ministry’s public website, NS Portal and Defence Mail.

The 35 vulnerability reports comprised 23 low, 10 medium, two high and zero critical severity vulnerabilities. No participant found any critical vulnerabilities and for the ones discovered, The Defence Ministry responded within five hours, on average.

The Ministry awarded a total of $14,750 in bounties to 17 hackers. The highest reward was $2000 to a researcher known as Shivadagger.

“Due to the fast-changing cybersecurity landscape, no agency can single handedly keep up with the identification and plugging of security gaps by itself. Inviting white hat hackers to test our systems allowed MINDEF to find previously unidentified vulnerabilities quickly, and effectively strengthen the security of our defence systems,” says MINDEF’s defence cyber chief and deputy director of special projects, David Koh.

“The success of the program helped us boost our cybersecurity in a matter of weeks,” Koh continues.

He believes the program allowed MINDEF to leverage a global talent pool of hackers to create more secure systems.

The MINDEF Bug Bounty Challenge was the first crowdsourced security initiative run by the Ministry. It claims the program is also the first of its kind by a government agency in Asia.

“The Singapore Ministry of Defence must be applauded for being one of first few government agencies, and the first in Asia, to embrace such a forward-thinking approach to security. MINDEF’s program signals further momentum for government agency collaboration with the hacker community,” Rice adds.

Bug Bounty participants hailed from Singapore, India, Pakistan, the US, Romania, Canada, Russia, Sweden, Ireland and Egypt.

The United States Department of Defense, US General Service Administration and the European Commission have also called on ethical hackers to spot vulnerabilities.

Enterprises such as Google Play, Nintendo, Qualcomm, GitHub, the CERT Solution Center and Starbucks have also conducted their own bug bounties.

According to HackerOne, its customers have resolved more than 63,000 vulnerabilities and awarded over $25M in bug bounties. More than 1000 organisations have used HackerOne services to discover critical software vulnerabilities.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).