The Ministry of Defence (MINDEF)'s Defence Cyber Chief, Mr David Koh, announced the MINDEF Bug Bounty Programme on the sidelines of his visit to the Cyber Defence Test and Evaluation Centre (CyTEC) earlier today. In a first for a Singapore Government agency, selected white-hat hackers(1) from around the world will test major MINDEF Internet-facing systems for vulnerabilities (or "bugs"), and will receive rewards (or "bounties") for doing so.
Cyber is a new battlefront. Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity. As hackers with malicious intent find new methods to breach networks, MINDEF must constantly evolve and improve its defences against cyber threats.
Emphasising the importance of strengthening Singapore's cyber defences amidst this changing landscape, Mr Koh said that the programme, utilising crowdsourcing, is one such innovative and effective way of doing so. He said, "This is the first time that MINDEF is launching such a bold programme… White-hat hackers participating in this programme will be given the mandate to 'hack' MINDEF, to find bugs in our major Internet-facing systems… For each valid and unique bug that the hacker finds, he will receive a bounty."
On the need for such a programme, Mr Koh said that it is not possible to fully secure modern computer software systems, and new vulnerabilities are discovered every day. He added that due to the fast changing cyber landscape, no agency can keep up by itself. Hence, even large companies use this crowdsourcing approach, which is effective and fast.
MINDEF has engaged HackerOne, a reputable international bug bounty company, to run the programme. The programme will be conducted from 15 January to 4 February 2018, involving eight selected Internet-facing systems.
(1) White-hat hackers are computer security specialists who break into protected systems and networks to test and assess their security. These hackers use their skills to improve security by exposing vulnerabilities before malicious hackers (known as black hat hackers) can detect and exploit them.