Hackers find 35 flaws in Mindef's systems in 'bug bounty'' programme
Hackers invited to test the Ministry of Defence's systems earlier this year found 35 bugs, including two classified as "high" severity.
Of the 264 hackers, the best was a Singaporean cyber-security manager at Ernst & Young.
The total payout for the programme, which took place from Jan 15 to Feb 4 this year, was US$14,750 (S$19,500).
SEVERITY
If exploited, the high-severity bugs, found on the NS Portal, could have resulted in users being greeted with a defaced webpage, or names of servicemen compromised.
Of the severity of other bugs, 10 were considered "medium" and 23 were "low". None were "critical".
All have been mitigated, though not all have been remedied. This means the flaws can no longer be exploited, but a proper fix will take a longer time as patches need to be developed and tested.
The results of the first Mindef Bug Bounty Programme were announced by the ministry's defence cyber chief David Koh yesterday.
The top hacker, a 30-year-old who wanted to be known only as Darrel, reported nine valid and unique vulnerabilities, receiving US$5,000 in all.
He spent about two hours a day during the three weeks hunting for vulnerabilities, submitting 16 reports.
Asked how secure Mindef's systems were, he said: "In general, they are quite secure.
"They could ward off amateur hackers who are just run scanners, automated scans or tools against the website. They have a pretty sensitive firewall that blocks off intrusive attempts aggressively."
US-based bug bounty company HackerOne managed the programme.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now
