Minister of Defence (MINDEF) has announced that its Bug Bounty Programme commenced on 15 January 2018 and successfully concluded on 4 February 2018.
The ministry stated that selected white hat hackers were invited to test eight major MINDEF Internet-facing systems for vulnerabilities or bugs, and received rewards (bounties) for doing so.
HackerOne, an international bug bounty company, was engaged to manage the programme.
A total of 264 white hats from around the world participated in this programme, including participants from Canada, Egypt, India, Ireland, Pakistan, Romania, Russia, Singapore, Sweden, and the United States.
There were 100 from the local white hat community and 164 (including 57 of the top 100 ranked white hats in HackerOne’s network) from HackerOne’s network of about 175,000 international white hats.
The ministry noted that the total bounty payout was US$14,750 (S$19,540). The amount of bounties paid out ranged from US$250 to US$2,000.
A summary of the results is as below:
According to the MINDEF, the top overall white hat participant is Darrel Shivadagger, a local researcher.
The 30-years-old cybersecurity manager from Ernst & Young reported nine unique out of 35 vulnerabilities, receiving a total bounty of US$5,000 (S$6,606), which is about one third of the total bounty payout. He also received US$2,000 for one of the high severity bugs, and between US$250 and US$750 for his other validated bugs.
“They (MINDEF) have systems in place that are actually quite sensitive. They actually warded off very intrusive attempts from me. I was able to find only client-side vulnerabilities. I couldn’t really find anything major or server-side related,” Darrel said.
MINDEF stressed that Singapore is constantly exposed to the increasing risk of cyberattacks and MINDEF is an attractive target for malicious cyber activity.
“The nature of modern computer software and systems is that they are not able to be fully secured, and new vulnerabilities are discovered every day. MINDEF takes a serious view of cyber threats and the security of its systems. The programme was a response to this rapidly-evolving cyber threat landscape, and it served to improve the cybersecurity of MINDEF’s Internet-facing systems in an effective manner,” it stated.