If you are a “white hat” hacker who has a particular set of skills that can help you find vulnerabilities in critical government systems in Singapore, you can get paid as much as US$150,000.
This latest reward or bounty is part of the government’s effort to find vulnerabilities before hackers discover them and exploit them for ill gains.
Offered by GovTech, this Vulnerability Rewards Programme is the latest bug bounty programme aimed at attracting ethical hackers who help organisations find loopholes in electronic systems so they can be fixed.
Prize money of US$250 to US$5,000 is given to most regular vulnerabilities that are found, depending on the severity of the issue discovered.
A special US$150,000 reward will be given to those who find a vulnerability that causes exceptional impact. This will be for selected systems that the government will share with those registered with the programme.
Previously, the government had two other bounty programmes that offered either monetary reward or reputation points on HackerOne, a cybersecurity company that coordinates such bug bounties.
One of them, a seasonal bug bounty programme run since December 2018, had found 100 vulnerabilities. More than S$100,000 had been paid out to participants.
Separately, the public have found vulnerabilities in Internet-facing Web and mobile apps. Since October 2019, more than 900 vulnerabilities from 59 agencies have been reported through this second programme.
The latest programme, which adds to these two already running, will be focused on selected Internet-facing critical systems and open to those who have achieved HackerOne Clear status and local hackers invited to join.
The first systems they will be asked to hack into will be GovTech’s Singpass and Corppass, the Central Provident Fund Board’s member e-services and the Ministry of Manpower’s Workpass system.
Only white hat hackers who have met strict criteria by HackerOne will be allowed to participate. They will be connected via a designated virtual private network (VPN) gateway provided by HackerOne and have to be within the rules of engagement.