The MINDEF Bug Bounty Programme is the Singapore Government's first bug bounty programme. Selected white-hat hackers will test major MINDEF Internet-facing systems for vulnerabilities (or "bugs"), and will receive rewards (or "bounties") for doing so. The programme will be facilitated by a reputable bug bounty company, HackerOne, which has facilitated similar programmes for other government agencies like the United States Department of Defense, and major companies like Intel and Twitter.
Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity. It is not possible to fully secure modern day computer software systems, and new vulnerabilities are discovered every day. As hackers with malicious intent find new methods to breach networks, MINDEF must constantly evolve and improve its defences against cyber threats.
The programme will run from 15 January to 4 February 2018, involving some 300 selected white-hat hackers from around the world. The hackers will be invited to find bugs in MINDEF's Internet-facing systems, and thereafter disclose these vulnerabilities to MINDEF. Eight Internet-facing systems will be involved in the programme, as shown in Table 1 below(1).
Table 1: List of systems involved in the MINDEF Bug Bounty Programme
Hackers will be financially rewarded for disclosing valid and unique vulnerabilities to MINDEF, with more critical vulnerabilities receiving larger bounties. The reward can range from about S$150 to about S$20,000 based on previous programmes organised by HackerOne. The total amount paid out in rewards is dependent on the number and quality of the vulnerabilities discovered, and is expected to cost significantly less than hiring a dedicated commercial cybersecurity vulnerability assessment team.
It is important to strengthen our defences against the increasing number and sophistication of cyberattacks. The programme uses an innovative, effective and fast, yet responsible crowd-sourcing approach to test and enhance Singapore's defence networks and systems against cyber threats.
(1) The SAF's operational systems, which are not Internet-facing, will not be included in the programme.