The Singapore Government Technology Agency (GovTech) on Tuesday introduced a new Vulnerability Rewards Programme (VRP) on HackerOne that offers bug bounty rewards of up to $150,000.
GovTech already runs a Government Bug Bounty Programme (GBBP) and a Vulnerability Disclosure Programme (VDP), but aims to further expand its cybersecurity capabilities to better protect the Government’s Infocomm Technology and Smart Systems (ICT&SS).
By running three crowdsourced vulnerability discovery programs, GovTech aims to ensure it can take advantage of continuous reporting and seasonal in-depth testing that complement routine pen testing operations run by the government.
The expanded VDP is open to all members of the public to identify and report security holes in Internet-facing systems, but only white hat hackers who meet strict criteria are allowed to participate in the GBBP and VRP, because higher-value systems are involved.
[ Related: Google Paid $30M in Bug Bounty Rewards Over 10 Years ]
Selected systems are open for testing for each iteration of the seasonal GBBP, while the new VRP is meant to ensure continuous testing of a broad range of critical ICT systems that support the delivery of essential digital government services.
Vulnerability reports submitted through the VRP may qualify for monetary rewards ranging between $250 and US$5,000, based on vulnerability severity. Security flaws that could cause “exceptional impact on selected systems and data” may qualify for a special bounty of up to $150,000.
“The special bounty is benchmarked against crowdsourced vulnerability programmes conducted by global technology firms such as Google and Microsoft. This signals the Singapore Government’s commitment to secure critical ICT systems and sensitive personal data,” GovTech says.
Initially, the VRP will cover three systems, namely Member e-Services (Ministry of Manpower – Central Provident Fund Board), Singpass and Corppass (GovTech), and Workpass Integrated System 2 (Ministry of Manpower).
With the VRP running on HackerOne, the platform will be responsible for vetting the white hat hackers who will be allowed to participate. Testing will be performed through a designated virtual private network (VPN) gateway that HackerOne will provide. Participants who break the permitted Rules of Engagement (ROE) may have their VPN access revoked.