Singapore Government tries a second, expanded bug bounty

Credit: ID 129369772 © Djvstock |

The Singapore Government has announced a new short-term bug bounty program to for external hackers to find vulnerabilities in nine key government-run websites.  

The bug bounty is being overseen by the Government Technology Agency of Singapore (GovTech) and the Cyber Security Agency of Singapore (CSA). 

The three week bug hunting program is limited to internet-facing systems and will focus on nine widely-used systems, including the GovTech-run SingPass and MyInfo websites for transacting with government agencies online; the Singapore Land Authority’s OneMap website and and mobile app; and the Monetary Authority of Singapore’s MASNET and MAS corporate websites used by financial institutions.  

Others include the Ministry of Education’s Parents Gateway; and the Ministry of Manpower’s SGWorkPass mobile and CheckWorkPass Status e-Service.

Singapore kicked off its first government three week bug bounty in December 2018, offering pre-selected researchers awards of up to $10,000 per bug. The program helped resolve 26 bugs and total rewards to researchers of just under $12,000

Singapore’s Ministry of Defence (MINDEF) had run separate bug bounty in in early 2018 that produced 35 valid bug reports and a top individual prize of $2,000.    

As with the previous GovTech and CSA bug bounty programs, this new program will be managed by third-party bug bounty firm, HackerOne. Rewards range between US$250 to US$10,000. The program will run from July to August 2019, and GovTech intends to announce key findings in September 2019. 

HackerOne boasts that besides the Singapore Government, others nations’ agencies using it for bug bounties include the U.S. Department of Defense, U.S. General Service Administration, the UK’s NCSC, and the European Commission, which has an ongoing EU-FOSSA program targeting open source program. 

One beneficiary of the EC’s bug bounty was the project behind popular VLC media player, which in June released its biggest security update ever. But key VLC developers were left with mixed feelings about the program because it attracted both scammers and actually technically competent hackers who helped it resolve security bugs.   

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags open sourceeuropean commisionSingaporeHackerOneGovTech

More about CSAEUEuropean CommissionGatewayManpowerMinistry of ManpowerSingapore GovernmentTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts