The MINDEF Bug Bounty Programme commenced on 15 January 2018 and successfully concluded on 4 February 2018. Selected white-hat hackers were invited to test eight major MINDEF Internet-facing systems for vulnerabilities (or "bugs"), and received rewards (or "bounties") for doing so. HackerOne, a reputable international bug bounty company, was engaged to manage the programme.
A total of 264 white hats from around the world participated in this programme, including participants from Canada, Egypt, India, Ireland, Pakistan, Romania, Russia, Singapore, Sweden, and the United States. There were 100 from the local white hat community and 164 (including 57 of the top 100 ranked white hats in HackerOne's network) from HackerOne's network of about 175,000 international white hats.
A summary of the results is as below:
Table 1: Summary of Results
1 Examples include Cross Site Scripting (XSS) vulnerabilities and business logic errors.
Table 2: Severity of Reported Bugs
Total Bounty Payout
The total bounty payout was US$14,750. The amount of bounties paid out ranged from US$250 to US$2,000.
Top Participating Hacker
The top overall white-hat participant is Shivadagger, a local researcher. He reported nine unique vulnerabilities, receiving a total bounty of US$5,000, which is about one third of the total bounty payout. He received US$2,000 for one of the high severity bugs, and between US$250 and US$750 for his other validated bugs.
Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity. The nature of modern computer software and systems is that they are not able to be fully secured, and new vulnerabilities are discovered every day. MINDEF takes a serious view of cyber threats and the security of its systems. The programme was a response to this rapidly-evolving cyber threat landscape, and it served to improve the cybersecurity of MINDEF's Internet-facing systems in an effective manner.