Third Government Bug Bounty Programme offers bonus payouts for mobile applications

Third Government Bug Bounty Programme offers bonus payouts for mobile applications
Bug bounty hunters will receive US$500 special bonus for validated vulnerabilities in mobile apps

The Government Technology Agency (GovTech), supported by the Cyber Security Agency of Singapore (CSA), will be conducting the third Government Bug Bounty Programme (BBP) from 18 November to 8 December 2019.

The third Government BBP, which runs for three weeks, will be expanded to cover 12 Internet-facing government ICT systems, digital services and mobile applications with high user touchpoints: ACRA-on-the-GO Mobile and Bizfile (ACRA); eFocus and iWitness (MHA); HealthHub (HPB); LTA Website and MyTransport Mobile (LTA); MyEnv Mobile (NEA); MyTax Portal (IRAS); OneService Mobile (MND); SingStat Website and SingStat Mobile App (MTI-DOS).

Similar to the first two Government BBPs, only ethical hackers who have registered with the appointed bug bounty company, HackerOne, will be allowed to participate in this programme. Rewards can range from US$250 to US$10,000 depending on the severity of the discovered vulnerability. A special bonus of US$500 will be awarded for validated mobile vulnerabilities in the third Government BBP due to the increased complexities involved in the process.

Discovered vulnerabilities will be reported to the relevant organisations for remediation. GovTech will share the key findings by February 2020.

The BBP is part of the Government’s ongoing efforts to work with the cybersecurity community and industry to strengthen and safeguard government ICT systems and digital services. It complements the conventional methods of vulnerability assessment and penetration testing, enabling the Government to benchmark its defences against the global and local community of researchers and white hats. The first two Government BBPs covered 14 government systems and involved some 700 cybersecurity researchers and white hats, with a total bounty of close to US$38,000 paid out.

To supplement the BBP, which is time bound and limited to a fixed set of systems and services, GovTech launched the Vulnerability Disclosure Programme on 1 October 2019 to encourage the public’s responsible reporting of any suspected vulnerability found in government Internet-facing web-based and mobile applications.

These collaborations with the cybersecurity community-at-large have helped the Government discover vulnerabilities that would otherwise be undetected, and strengthen the security posture of our ICT systems and digital services.

ISSUED BY THE GOVERNMENT TECHNOLOGY AGENCY OF SINGAPORE AND THE CYBER SECURITY AGENCY OF SINGAPORE

About Government Technology Agency

The Government Technology Agency (GovTech) is the lead agency driving Singapore’s Smart Nation initiative and public sector digital transformation. As the Centre of Excellence for Infocomm Technology and Smart Systems (ICT & SS), GovTech develops the Singapore Government’s capabilities in Data Science & Artificial Intelligence, Application Development, Sensors & IoT, Digital Infrastructure, and Cybersecurity.

GovTech supports public agencies to manage enterprise IT operations and develop new digital products for citizens and businesses. GovTech is the public sector lead for cybersecurity, and oversees key government ICT infrastructure, as well as regulates ICT procurement, data protection and security in the public sector. GovTech is a Statutory Board under the Smart Nation and Digital Government Group (SNDGG) in the Prime Minister’s Office.

For more information, please visit https://www.tech.gov.sg. Follow GovTech on Facebook/Twitter/Instagram @GovTechSG.

For media enquiries, please contact:

Medha LIM (Ms)
Senior Manager
Communications & Marketing Group
Government Technology Agency of Singapore
Email: medha_lim@tech.gov.sg

Jacklyn CHEW (Ms)
Manager
Communications & Marketing Group
Government Technology Agency of Singapore
Email: jacklyn_chew@tech.gov.sg