Singapore’s Government Agency for Science and Technology (GovTech) launched a new Vulnerability Rewards Program (VRP) on HackerOne on Tuesday, offering bug bounty rewards of up to $150,000.

This new Vulnerability Reward Program (VRP) by the Government Agency for Science and Technology (GovTech) aims to further enhance the existing Government Vulnerability Reward Program (GBBP) and Vulnerability Disclosure Program (VDP). The three crowdsourced vulnerability mining projects complement GovTech’s cybersecurity capabilities to protect government ICT&SS.

In addition to regular penetration testing conducted by the government, the three crowdsourced vulnerability mining projects offer a mix of continuous reporting and seasonal in-depth testing to tap into the larger community. While the public can report suspected vulnerabilities of all Internet-facing systems through the VDP, GBBP and VRP are only open to “white hat” hackers (or ethical hackers) for testing due to the high value of the systems involved. While the seasonal GBBP focuses on selected systems in each iteration, the new VRP is designed to continuously test a wider range of critical ICT systems that are necessary for the continued delivery of essential services in our digital economy.

VRP offers white hat hackers bonuses ranging from $250 to $5,000, depending on the severity level of the exploit. A special reward of up to $150,000 will be awarded for discovering vulnerabilities that could have an unusual impact on selected systems and data. This special reward is benchmarked against crowdsourced vulnerability projects implemented by global tech companies such as Google and Microsoft. This demonstrates the Singapore government’s commitment to protecting the security of critical ICT systems and sensitive personal data.

The scheme will initially cover three systems: Singpass and Corppass (GovTech); Membership Electronic Services (Ministry of Manpower – Central providefund Board); and Work Pass Integrated System (Ministry of Human Resources). More critical information and communication technology systems will gradually be added to the programme.

Because these systems are critical to delivering vital digital government services, only white hat hackers who meet strict standards are allowed to participate. These checks will be performed by designated bug bounty firm HackerOne. Registered participants will undergo security testing through designated virtual private network (VPN) gateways provided by HackerOne. This is to ensure that security testing activities are within the allowed business rules (ROEs). If participants violate the ROE, their VPN access may be revoked to minimize potential disruption to the integrity of government systems.

Ms. Lim Bee Kwan, Assistant Chief Executive Officer of GovTech Management and Cyber ​​Security, said: “Since launching our first crowdsourced vulnerability mining project in 2018, we have worked with over 1,000 highly skilled white hat hackers to uncover around 500 valid vulnerabilities. New The Vulnerability Bounty Program will allow governments to further tap the global pool of cybersecurity talent to test our critical systems and secure citizens’ data to build a safe and secure smart nation.”