We are excited to announce the Bug Bounty Challenge 2023 event is happening on 15 May 2023 (Mon) to 02 June 2023 (Fri). This event is designed to give our community the opportunity to showcase their skills in cybersecurity and help us identify potential vulnerabilities in our NUS application systems. We are also excited to introduce our new platform partner, Yes We Hack – a leading/global Bug Bounty & Vulnerability management platform, will be providing the technology and expertise to make this event a success.

BACKGROUND

For those who may be unfamiliar with the concept, a bug bounty program is a crowdsourced initiative that offers rewards to ethical hackers who find and report security vulnerabilities in application systems. By participating in this event, you will have the opportunity to showcase your skills, earn some money, and help improve the security of our applications and systems.

In preparation for the bug bounty challenge, NUS and Yes We Hack will be offering some training sessions for anyone who is interested in learning more about ethical hacking which is conducted by a professional white hacker.

We believe that this event will be an excellent opportunity for our community to showcase their skills, learn from industry experts, and help improve our cybersecurity. We encourage all NUS staff and students to join and take part, whether you are an experienced hacker or a beginner.

Register your interest via http://nus.edu/bugbounty and stand a chance to win attractive cash bounty prizes of up to S$3,000, earn extra marks (for eligible modules) and gain a place in our Hall of Fame!

So mark your calendars and get ready to participate in our Bug Bounty Challenge 2023 event. We look forward to your participation in this bug hunting event!

REWARDS

Each bug which is found and verified will be assigned a severity level and a corresponding bounty will be awarded as follows:

Critical	S$ 3,000
High	S$ 1,000
Medium	S$ 500
Low	S$ 200

Note: Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and will not be eligible for a bounty.

STEPS TO SIGNUP

1. Register and create an account via Yes We Hack’s platform at https://yeswehack.com/auth/register  -> Select “New User”.
2. Provide your details and Yes We Hack username via the signup form at https://nus.edu/bugbounty by 12 May 2023 12pm (Fri).
   
3. Accept the challenge invitation email, which will be sent to you by 12 May 2023 (Fri).

Note: If you have joined our bug bounty programme previously, you will need to register again. NUS is now using a new platform via Yes We Hack.

RULES

• The challenge is only open to NUS staff and students.
• The list of NUS applications which are in scope will be made available only to registered participants. You may only perform testing on these applications.
• Application/system owners and their respective support teams may not submit bugs related to the applications/systems they own or support.
• All testing activities must be carried out through the Yes We Hack VPN. Please refer to the instructions sent to you once you have accepted the invitation.
• Do not attempt to access or overwrite any data, especially private data, which you might gain access to.
• Do not publicly disclose any vulnerabilities before they have been completely resolved.
• Do not perform any tests that will disrupt services, or deny others from using them, e.g. DDoS/DoS attacks, brute-force attacks.
• Do not use social engineering (such as phishing) to obtain credentials or access.
• Do not use network-based exploits such as DNS poisoning or ARP spoofing.
• Do not use exploits that require physical access to any system/machine.

NEW TO BUG BOUNTY?

Please refer to the following resources to get started:

• Yes We Hack Self Training Dojo
• Yes We Hack Bug Bounty Workshop (Open to Public)
• (Alternative site) Portswigger – Free Resource

If you have any questions, please contact NUS IT Bug Bounty Program Team