One of the greatest prizes in cybersecurity is the “zero-day”, or a previously unknown vulnerability in a system. Before they were discovered by researchers, these threats remained unknown, lying dormant and waiting to be exploited. Zero-days are some of the most dangerous threats in cybersecurity. To ferret out these unknown unknowns, dedicated vulnerability hunters in GovTech’s CSG are perpetually on the hunt throughout various systems, always on the prowl for that elusive, dangerous zero-day.

2019 was a bountiful year for our team: CSG’s prolific cybersecurity specialists found 11 zero-day vulnerabilities. These vulnerabilities were discovered in the course of CSG’s Advanced Cybersecurity Capabilities (ACC)’s work in Penetration Tests (PT) and participation in Bug Bounty Programmes (BBP).

What sort of Penetration Tests do we conduct?

PT focuses on identifying vulnerabilities in specific technological solutions that might result in the compromise of security. These technological solutions such as mobile applications, Internet-of-Things (IoT) devices, web applications as well as commercial off-the-shelf (COTS) products.

What sort of bug bounty programmes do we take part in?

BBP are programmes run by the companies to crowdsource the search for vulnerabilities in their internet-facing applications. While BBP are on the whole open to the general public, this has not stopped CSG’s cybersecurity specialists from having their fun too!

Where did we find these vulnerabilities?

The 11 zero-day vulnerabilities ranged from medium to high-risk severities. They were for

- WalkMe’s application suite; and

- Tyler Technologies’ Bug Bounty Programme.

In discovering these vulnerabilities, CSG’s cybersecurity specialists have helped the Singapore government pick better systems for use. At the same time, they have brought international recognition to GovTech in particular and the Singapore Government in general. While some of these vulnerabilities were not publicised due to Non-Disclosure Agreements (NDA), we’re pretty proud that the team’s stellar efforts have been publicly acknowledged.

Some of their discoveries are publicised at these links:

- https://www.walkme.com/bug-bounty-program/; for high-severity zero-day vulnerabilities found on WalkMe, a Digital Adoption Platform.

To continue learning about what CSG’s cybersecurity specialists are up to both at work in their own free time, keep your eye on this space. In upcoming posts, we will be sharing more about innovative attack methods, the latest developments in cybersecurity developments, and most importantly, what can be done to secure our systems.

Till then, keep cyber safe, and cyber ready.

— — —


The crucial work detailed in this article would never have been possible if not for the ceaseless dedication and the inspired brilliance of the following security leaders and researchers:

Chong Rong Hwa | Terence Teo |Eugene Ng | Keith Tay | Goi Si Han | Khoo Bin Jing | Khor Teck Chung | Chang Yin Hong | Loke Hui Yi | Max Chee | Darrel Huang | Miguel Tan | Eugene Lim | Goh Jing Loon

Author: Wong Zheng Kai
Originally published on CSG @ GovTech.
For more deep-dive cybersecurity tools and techniques, please visit CSG @ GovTech