Stephanie Sum

Defence Ministry Resolved 35 Vulnerabilities in Three Weeks, Thanks to Hackers

SAN FRANCISCO-- February 21, 2018-- The Singapore Ministry of Defence (MINDEF) today announced the results of the first MINDEF Bug Bounty Challenge, which was facilitated by HackerOne, the leading hacker-powered security platform. The three-week program invited 300 ethical hackers to penetrate its systems, including the Ministry's public website, NS Portal, and Defence Mail. The MINDEF Bug Bounty Challenge was the Ministry’s first crowd-sourced security initiative and the first program of its kind by a government agency in Asia.

Hackers were invited to look for vulnerabilities from January 15, 2018 to February 4, 2018 to supplement the progressive work that MINDEF’s security team is already doing. Within the three-week duration of the program, MINDEF received 35 unique vulnerability reports, with no critical vulnerabilities found. Of the 35 unique vulnerability reports, there were 23 low, 10 medium, two high and zero critical severity vulnerabilities. In the process, MINDEF rewarded $14,750 in bounties to 17 successful trusted hackers who participated. Hackers participated from all over the world, including the United States, Singapore, India, Romania, Canada, Russia, Sweden, Ireland, Egypt and Pakistan. The highest reward was $2,000. The Defence Ministry responded quickly to hackers’ vulnerability reports — responding within five hours on average.

“The global representation of hackers in the MINDEF Bug Bounty Challenge shows the overwhelming appetite from the hacker community to help governments operate more securely,” said Alex Rice, co-founder and CTO at HackerOne. “The Singapore Ministry of Defence must be applauded for being one of first few government agencies, and the first in Asia, to embrace such a forward-thinking approach to security. MINDEF’s program signals further momentum for government agency collaboration with the hacker community.”

MINDEF joins government agencies like the U.S. Department of Defense, U.S. General Service Administration and the European Commission who have leveraged the global hacker community to surface vulnerabilities before they were exploited by criminals. Other organizations that have adopted the bug bounty model include progressive companies like Google Play, Nintendo, General Motors, Starbucks and others.

“Due to the fast-changing cybersecurity landscape, no agency can single handedly keep up with the identification and plugging of security gaps by itself. Inviting white hat hackers to test our systems allowed MINDEF to find previously unidentified vulnerabilities quickly, and effectively strengthen the security of our defence systems,” said Mr David Koh, Deputy Secretary (Special Projects) and Defence Cyber Chief at Singapore’s Ministry of Defence. “The success of the program helped us boost our cybersecurity in a matter of weeks.”