YesWeHack has marked the completion of its first year as the appointed partner for Singapore’s Government Bug Bounty Programme (GBBP). During this period, YesWeHack supported four separate rounds of the GBBP in collaboration with the Government Technology Agency of Singapore.
These rounds involved the participation of more than 20 government agencies and engagement of around 250 vetted cybersecurity researchers in each cycle. Collectively, these researchers were rewarded with over USD $250,000 for identifying valid vulnerabilities in government systems.
The partnership allowed Singapore to leverage crowdsourced ethical hacking to strengthen its cyber defences. YesWeHack provided both globally sourced expertise and local triage support, helping agencies uncover and address security gaps across critical digital infrastructure.
The GBBP rounds invited a global community of cybersecurity experts, with YesWeHack drawing on a pool of over 100,000 researchers worldwide. Government agencies opened their ICT systems to targeted scrutiny, with bounty rewards awarded based on the severity and validity of vulnerabilities discovered.
The next instalment of the GBBP is scheduled to take place between 24 November and 7 December 2025, underscoring Singapore’s ongoing commitment to collaborating with the global cybersecurity community to enhance and protect government digital services and ICT infrastructure.
The Bug Bounty Programme model relies on thoroughly vetted ethical hackers, also known as security researchers, who earn monetary rewards for reporting verified security vulnerabilities. The rewards, or bounties, are tiered according to the severity of each finding, incentivising researchers to perform in-depth testing and helping surface vulnerabilities that may be missed by standard penetration tests or security tools. These measures support the early discovery of flaws that, if left unaddressed, could be exploited with serious consequences.
YesWeHack brings together security researchers from over 170 countries, supporting programmes tailored to suit specific security needs. The platform’s structure offers flexibility, allowing organisers to target specific areas for testing or adjust the programme’s scope as needed. This adaptability is designed to maximise the efficiency and effectiveness of every bug bounty cycle, according to YesWeHack.
Singapore’s use of crowdsourced cybersecurity expertise has demonstrated a willingness to engage external perspectives and skills, both to identify potential threats and to reinforce digital infrastructure against potential exploitation. The GBBP continues to offer opportunities for new and experienced cybersecurity researchers to contribute to public sector digital resilience.
