Students benefit from HackerOne’s training and expertise earning bounties while securing the university against security vulnerabilities.

HackerOne has announced the successful conclusion of its bug bounty challenge with the National University of Singapore (NUS).

NUS is the first university in Singapore to actively incentivise its own students to hone their hacking skills through a bug bounty challenge. A bug bounty challenge is used by organizations to incentivise ethical hackers to look for software vulnerabilities in exchange for a monetary rewards or ‘bounties’ in return for the disclosed vulnerabilities or ‘bugs’.

The initiative is part of NUS’ forward-thinking approach to both securing its infrastructure and bridging the cybersecurity skills gap by building students’ practical cybersecurity skills. 

During the NUS’ three-week hacking challenge in August 2019, more than 200 students participated, hunting for security vulnerabilities in NUS’ digital infrastructure. Bounties ranged from US$100 for lower severity vulnerabilities to US$1,500 for critical ones. Overall, 13 valid vulnerabilities were safely reported by students with US$4,550 awarded in total. Participating students were also eligible to earn extra academic credits for select course modules on the completion of the training sessions. 

Prior to the launch of the bug bounty challenge, students were equipped with comprehensive training from HackerOne’s dedicated web security training platform, Hacker101. Hacker101 offers webinars, lectures and online training exercises.

This is the second time HackerOne has partnered with a university to empower students to secure their school. In 2017, the University of Berkeley in the U.S. enrolled in an experimental “cyberwar” course, powered by HackerOne. HackerOne continues to invest in the next generation of hackers, partnering with community groups and educators to ensure the internet of the future is a safer place.

“By allowing our students to hack our own applications, we are breaking conventional and conservative notions, and offering students the unique experience of hacking on production systems,” said Tommy Hor, chief information technology officer, NUS. 

“It is not possible to be ‘100% safe’ in cybersecurity. Therefore, we adopt a proactive and predictive approach to cybersecurity and the bug bounty challenge is a great example of this. In this case, participating students are given the opportunity to search for vulnerabilities in the systems and applications they are already familiar with because of regular usage”

 “This complements the regular vulnerability scanning and penetration testing performed by our staff. Collectively, these efforts help us to identify and remediate security vulnerabilities before they can be exploited by malicious threat actors,” Tommy added.

“The bug bounty program provides a great opportunity for us to put our technical skills to the test to find bugs in high-value web applications,” said Ngo Wei Ling, a Year 2 undergraduate from NUS School of Computing who participated and won a bounty.

Another winner, Ahn Tae Gyu, a Year 3 undergraduate from NUS School of Computing, added “We carried out reconnaissance and active enumeration, which enabled us to uncover vulnerable systems and web pages, in which we were able to discover hidden security bugs. This process provided us with the understanding of how web servers in production mode are configured and it is commendable that NUS is aiming to resolve security bugs before malicious attackers are able to exploit them by fostering responsible disclosure.”

“Hacker powered security is the most effective way to find vulnerabilities before they can be exploited,” said Laurie Mercer, security engineer at HackerOne. “I wish I had the chance to contribute to the security of my university when I was an undergraduate. The bugs the NUS students found, including critical reports, show that they have the skills that are needed to create a safer internet. I am excited to see what they can accomplish in the future!”

NUS plans to make the hacking challenge an annual event, and in 2020, it expects to expand the scope of applications to be tested and to reach out to more participants.