Last week, I attended the Researcher Appreciation Ceremony held alongside the prize ceremony of Jaga the STACK Finale 2022. The Researcher Appreciation Ceremony was held as part of GovTech’s Crowdsourced Vulnerability Discovery Programme (CVDP), where they will present various awards, such as the Top GBBP Researcher award.
I could vividly recall that the entire event was filled with not only students, but also working professionals looking for young and bright individuals for internships or job offers, as the student competition includes categories for a variety of education level (e.g. University). Not forgetting that the organiser also invited the local white hat community to attend this event.
Receiving the Top GBBP Researcher and Most Staunch Supporter Awards
It was an honour to be the recipient of the following two awards:
- Top GBBP Researcher
- Most Staunch Supporter
It was an even greater honour to be able to receive the awards from our Senior Minister of State, Dr Janil Puthucheary.
Government Bug Bounty Program (GBBP)
The Government Bug Bounty Program (GBBP) is held multiple times within a year, whereby GovTech, the organiser, will liaise with various Singapore government agencies to invite them onto the program. After they have been on-boarded, they will provide a list of assets allowed to be tested by the invited white hat security researchers.
In case anyone is unfamiliar, white hat security researchers in this context are basically anyone who hack ethically, such as to conduct security testing on the list of assets (e.g. website), identify security vulnerabilities and submit a detailed report to help the asset owner improve their assets without causing any harm to them and their users.
In the year of 2022, 3 rounds of GBBP were organised. For my contributions in all 3 rounds of GBBP, I was given the Most Staunch Supporter award.
I was also awarded the Top GBBP Researcher for my performance and leaderboard ranking across the 3 rounds of GBBP.
My takeaway on the event
I felt that such event is pretty good, whereby local white hats come together to meet one another and share their experiences with each other. During the event, I met the winners of other GovTech programs, such as the VDP and VRP winners, Benjamin (benlee105) and James (puppykok) respectively, and understand that both of them are aspiring young individuals striving to succeed in the security industry as penetration testers.
VDP means Vulnerability Disclosure Program whereby white hats contribute to the program would be award with points for their account. VRP means Vulnerability Report Program whereby white hats contribute to the program would be award with monetary awards, which is usually called a ‘bounty’.
Both programs have different list of assets that are in-scope for security testing. Based on my understanding, VRP is invite-only, whereas VDP has no restriction. Check out GovTech’s official website for more details of VDP here.
Why did I participated in GBBP
For noble reasons, I would say that it is due to national pride. It all started in a random conversation when I was in army and I was surrounded by various winners of GBBP, Samuel (samengmg) and Eugene (spaceraccoon) and then my friend, Rong Hwa persuaded me to participate and contribute to the program. My aim is to put the Singapore flag onto the leaderboard of GBBP program!
For personal reasons, I felt that as a Singaporean, all these systems that belongs to the Singapore government agencies are very close to my heart. Does anyone still remember the SingHealth incident? How did you felt when the personal health records of your loved ones were publicly disclosed online, be it dumped on some website or sold in the dark web?
Kudos to the GovTech CVDP team
Over each GBBP organised, the organising team were proactive in seeking feedback from the participants and I have personally provided them with a list of things that could have been done better. Progressively, I could see the team improving and making collaborations easier for the participants over the year. There are still areas for improvement, but I do appreciate all the changes that have taken place thus far.
It is not an easy feat to organise all these GBBP runs, given the nature of government agencies and the fact that they have to liaise between so many parties, so kudos to the GovTech CVDP team!
Lastly, I will be looking forward to seeing more participation and contribution from the local white hats community for the security testing of Singapore’s government agencies!