SingCERT Vulnerability Disclosure Policy

Responsible Vulnerability Disclosure (“RVD”) is a process where a person/organisation responsible for a product or service (the “System Owner”) is informed of a cybersecurity vulnerability in the product or system, in order that they may mitigate or eradicate the risk that the vulnerability may be exploited, and minimise or prevent potential harms that may result.

SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace.

SingCERT encourages anyone that has identified or knows of a suspected vulnerability in a product or service (the “Informer”) to first report directly to the System Owner(s). System Owner(s) are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies. For reporting of vulnerabilities in any Singapore government-related systems or websites, please refer to Govtech’s Vulnerability Disclosure Programme at: https://www.tech.gov.sg/report_vulnerability