SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Singapore MINDEF's Bug Bounty Challenge nets 32 vulnerabilities in three weeks
Thu, 22nd Feb 2018
FYI, this story is more than a year old

The Singapore Ministry of Defence (MINDEF) handed out more than US$14,000 in bounties to 17 hackers who participated in the first MINDEF Bug Bounty Challenge, which concluded earlier this month.

264 ethical hackers from across the globe participated in the challenge, which enabled MINDEF to resolve 35 vulnerabilities in just three weeks.

“The global representation of hackers in the MINDEF Bug Bounty Challenge shows the overwhelming appetite from the hacker community to help governments operate more securely,” comments HackerOne cofounder and CTO Alex Rice.

Hackers were asked to penetrate three defence systems including the Ministry's public website, NS Portal and Defence Mail.

The 35 vulnerability reports comprised 23 low, 10 medium, two high and zero critical severity vulnerabilities. No participant found any critical vulnerabilities and for the ones discovered, The Defence Ministry responded within five hours, on average.

The Ministry awarded a total of $14,750 in bounties to 17 hackers. The highest reward was $2000 to a researcher known as Shivadagger.

“Due to the fast-changing cybersecurity landscape, no agency can single handedly keep up with the identification and plugging of security gaps by itself. Inviting white hat hackers to test our systems allowed MINDEF to find previously unidentified vulnerabilities quickly, and effectively strengthen the security of our defence systems,” says MINDEF's defence cyber chief and deputy director of special projects, David Koh.

“The success of the program helped us boost our cybersecurity in a matter of weeks,” Koh continues.

He believes the program allowed MINDEF to leverage a global talent pool of hackers to create more secure systems.

The MINDEF Bug Bounty Challenge was the first crowdsourced security initiative run by the Ministry. It claims the program is also the first of its kind by a government agency in Asia.

“The Singapore Ministry of Defence must be applauded for being one of first few government agencies, and the first in Asia, to embrace such a forward-thinking approach to security. MINDEF's program signals further momentum for government agency collaboration with the hacker community,” Rice adds.

Bug Bounty participants hailed from Singapore, India, Pakistan, the US, Romania, Canada, Russia, Sweden, Ireland and Egypt.

The United States Department of Defense, US General Service Administration and the European Commission have also called on ethical hackers to spot vulnerabilities.

Enterprises such as Google Play, Nintendo, Qualcomm, GitHub, the CERT Solution Center and Starbucks have also conducted their own bug bounties.

According to HackerOne, its customers have resolved more than 63,000 vulnerabilities and awarded over $25M in bug bounties. More than 1000 organisations have used HackerOne services to discover critical software vulnerabilities.