Cybersecurity investments in Singapore and Southeast Asia are surging as organisations recognise the need to protect their digital infrastructure. Cybersecurity Ventures projects the regional cybersecurity market to grow from US$3.5 billion in 2020 to US$10.5 billion by 2025, with a 24.4% CAGR. This growth reflects the region’s heightened focus on strengthening defences against rising cyber threats.
Despite increasing investments, many organisations remain vulnerable to sophisticated cyberattacks. According to a report by Kaspersky, over 13 million web threats targeting businesses in Southeast Asia (SEA) were detected and blocked in 2023.
Traditional methods, such as penetration testing and security audits, while effective to a point, are proving increasingly limited.
The Cyber Security Agency of Singapore (CSA), in its recently launched Guidelines and Companion Guide on Securing AI Systems, emphasises that businesses using AI must conduct more rigorous and frequent risk assessments.
So, what more can companies do to strengthen their defences in this increasingly complex landscape?
One solution is adopting bug bounty programmes, incentivising ethical hackers to identify vulnerabilities before they can be exploited by malicious actors.
See also: Mitigating the risks of AI face-swapping fraud in financial services
Why bug bounty
Bug bounty programmes offer a flexible, results-driven approach to cybersecurity, enlisting ethical hackers to identify vulnerabilities and earn rewards based on severity.
Unlike fixed-schedule penetration testing, these programmes provide continuous, scalable assessments, engaging diverse global expertise to uncover vulnerabilities in real time. Companies can invite 10, 100, or even 1,000 hackers—bringing unparalleled diversity of expertise to the table. This ensures a dynamic defence, as vulnerabilities are uncovered by a global community with unique skill sets.
See also: Empowering data centres to make the AI race sustainable
Bug bounty is particularly cost-effective based on its results-oriented model: hackers are compensated only when they discover valid vulnerabilities. Organisations pay solely for actionable results, making this approach both efficient and precise.
Global expertise for stronger security
Bug bounty programmes leverage the expertise of a diverse, global community of ethical hackers. This diversity enables a more thorough and wider approach to security testing, as each researcher brings unique methods and insights to the programme – something that traditional in-house teams or penetration testing companies cannot replicate. These programmes simulate real external attacks, allowing researchers to identify exploitable vulnerabilities before malicious actors can do so.
Singapore has led Southeast Asia in adopting bug bounty programmes, integrating them into its national cybersecurity strategy as early as 2018. The Monetary Authority of Singapore (MAS), for example, recognises the value of bug bounty programs in its Technology Risk Management guidelines, allowing financial institutions to leverage ethical hackers within their cybersecurity frameworks.
Additionally, the Singapore Government, through GovTech, runs initiatives like the Vulnerability Disclosure Program (VDP) and Government Bug Bounty Program (GBBP).
The VDP allows the public to report security vulnerabilities they discover in government systems, encouraging a collaborative approach to cybersecurity.
The GBBP engages selected ethical hackers to identify vulnerabilities in critical systems, which organisations can then fix. This blend of policy support and real-world implementation cements Singapore’s position at the forefront of proactive cybersecurity.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
Leading companies like Tencent have also adopted bug bounty programmes, achieving notable security improvements, such as fewer critical vulnerabilities and faster response times. These successes underscore the value of continuous security testing in helping organisations safeguard their growing digital presence against evolving cyber threats.
Overcoming fear and resistance
Despite the clear benefits, some companies still hesitate to adopt bug bounty programmes due to concerns about exposing sensitive systems to external testers.
Interestingly, however, it is often the most sensitive and highly regulated industries—such as finance, healthcare, and defence—that are among the earliest adopters of these programmes. These industries trust the rigorous controls bug bounty offers and recognise its value in achieving uncompromising security.
To overcome this resistance, companies need to understand that bug bounty platforms have rigorous controls to prevent misuse. Ethical hackers are vetted, and their actions are monitored to ensure compliance with program guidelines.
The real question is: Is it riskier to leave vulnerabilities undiscovered – or to let skilled researchers help identify and fix them?
The future of cybersecurity
As cyber threats grow more sophisticated, traditional security measures alone are insufficient. Bug bounty programmes offer a scalable, cost-effective solution that empowers companies to stay ahead of cybercriminals.
For CISOs, CTOs, and cybersecurity professionals, the question is not whether to adopt bug bounty programmes, but rather how to integrate them into existing security framework. As the cybersecurity landscape in Southeast Asia continues to evolve, bug bounty programmes represent an essential tool in the fight to safeguard sensitive data and infrastructure from an increasingly sophisticated range of cyber threats.
Kevin Gallerin, CEO for Apac at YesWeHack
