The three week bug hunting program is limited to internet-facing systems and will focus on nine widely-used systems, including the GovTech-run SingPass and MyInfo websites for transacting with government agencies online; the Singapore Land Authority’s OneMap website and and mobile app; and the Monetary Authority of Singapore’s MASNET and MAS corporate websites used by financial institutions.
Others include the Ministry of Education’s Parents Gateway; and the Ministry of Manpower’s SGWorkPass mobile and CheckWorkPass Status e-Service.
Singapore kicked off its first government three week bug bounty in December 2018, offering pre-selected researchers awards of up to $10,000 per bug. The program helped resolve 26 bugs and total rewards to researchers of just under $12,000.
Singapore’s Ministry of Defence (MINDEF) had run separate bug bounty in in early 2018 that produced 35 valid bug reports and a top individual prize of $2,000.
As with the previous GovTech and CSA bug bounty programs, this new program will be managed by third-party bug bounty firm, HackerOne. Rewards range between US$250 to US$10,000. The program will run from July to August 2019, and GovTech intends to announce key findings in September 2019.
One beneficiary of the EC’s bug bounty was the project behind popular VLC media player, which in June released its biggest security update ever. But key VLC developers were left with mixed feelings about the program because it attracted both scammers and actually technically competent hackers who helped it resolve security bugs.