HACKERS BOOST MINDEF CYBER DEFENCES
// STORY Thrina Tham
// PHOTOS Tan Yong Quan
A total of 35 vulnerabilities, or bugs, were uncovered across eight of its major Internet-facing systems, with a total bounty payout of US$14,750 (S$19,500).
"Hackers are very innovative, so MINDEF has to be equally innovative in defending our systems. That's why we ran the Bug Bounty Programme," said Defence Cyber Chief David Koh, who announced programme's results on 21 Feb.
"The programme has met our intended objectives and allowed MINDEF to find previously unidentified vulnerabilities quickly and effectively, and consequently strengthen our defence systems," he added.
The three-week programme saw 264 white hat hackers invited to look for security flaws in MINDEF's systems including the MINDEF, Central Manpower Base, and Defence Science and Technology Agency websites, as well as NS Portal.
These ethical hackers are from around the world, hailing from countries such as India, Romania, Russia, Sweden and the United States. They also included 100 hackers from the local white hat community in Singapore.
Held from 15 Jan to 4 Feb, the programme saw the first vulnerability report submitted 83 minutes after its launch. At the end of the three-week hackathon, a total of 34 participants had reported 97 vulnerabilities, of which 35 were valid.
The initiative is a first for a government agency in Asia, according to HackerOne, the international bug bounty company engaged to run the programme. In a statement, HackerOne said that MINDEF responded quickly to the vulnerability reports, responding within five hours on average. The company has run similar programmes for the US Department of Defence, as well as tech giants Google and Twitter.
Explaining the process, Mr Koh said that each reported bug has to meet certain criteria before it is further verified by MINDEF.
"(Each time a vulnerability is found), we fix the vulnerability immediately (to) mitigate the risk as quickly as possible," he said.
Of all the validated bugs reported, no critical vulnerabilities were found. Two were of high severity, 10 were medium and 23 were low.
The biggest bounty of US$2,000 went to local white hat hacker Mr Darrel for uncovering one of the high-severity bugs.
The cyber security manager at consultancy firm Ernst & Young said that participating in the programme helped him sharpen his skills.
Going by the moniker Shivadagger, he said: "For this programme, you're expected to have a foolproof report they want to know that you can actually go in and exploit (the vulnerability)."
Mr Darrel reported 14 vulnerabilities, of which nine were deemed valid - earning him a total bounty of US$5,000.
The Bug Bounty Programme is part of MINDEF's continuous efforts to build up its capabilities in the cyber arena, which includes the setting up of the Cyber Test and Evaluation Centre (CyTEC) where servicemen train against simulated cyber attacks.
