SingCERT

Frequently Asked Questions

General

What does SingCERT do?

The Singapore Cyber Emergency Response Team (SingCERT), under the Cyber Security Agency of Singapore (CSA), facilitates the detection, resolution and prevention of cybersecurity incidents for the Singapore constituency. SingCERT achieves these objectives by:

  1. Broadcasting timely alerts, advisories and security patches to highlight security vulnerabilities in software and hardware products, and provide updates on the latest cyber threat trends;
  2. Driving outreach and education to raise cybersecurity awareness and adoption through seminars and workshops;
  3. Collaborating with other international and local CERTs to respond to cyber-related incidents; and
  4. Strengthening cooperation among CERTs and testing of incident handling processes through multiple conferences and cybersecurity exercise drills.
How do I contact SingCERT?

You can email SingCERT at singcert@csa.gov.sg or access SingCERT's Cyber Incident Reporting form at https://www.csa.gov.sg/singcert/reporting

Please note that our operating hours are Monday to Thursday from 9am - 6pm (GMT+8) and Friday from 9am - 5:30pm (GMT+8).

What is SingCERT?

The Singapore Cyber Emergency Response Team (SingCERT), is the national CERT in Singapore. It is the point of contact with members of the public, private businesses and international CERTs around the world. SingCERT was set up in October 1997 as a programme of the then Infocomm Development Authority of Singapore (IDA), in collaboration with the National University of Singapore, to facilitate the detection, resolution and prevention of security-related incidents on the Internet. In 1999, SingCERT become a wholly IDA-owned programme.

With the formation of the Cyber Security Agency of Singapore (CSA) in 2015 as the national body providing dedicated and centralised oversight of national cybersecurity functions, SingCERT moved over to CSA.

Does SingCERT work with other law enforcement agencies to track down cyber-attackers?

SingCERT is not an investigative or law enforcement agency. SingCERT does not investigate, maintain or disclose information about individual cyber-attackers or conduct criminal investigations.

Our activities focus on providing technical assistance and facilitating communications in response to computer security incidents.

If the company or user is interested in pursuing any form of investigation such as finding out the identity of the intruder or seeking legal prosecution, you may wish to contact the Technology Crime Investigation Branch, Singapore Police Force, at 6435 0000 or discuss it with your organisation's legal officer.

SingCERT does not have the legal expertise and cannot offer legal advice.

What information should I provide to SingCERT when my site has had an intrusion?

The organisation or person reporting the incident should provide the following information:

  • Contact information including name, email addresses, telephone and fax numbers.
  • Description of the incident, including supporting logs and details such as source and targeted IP addresses, time of occurrence, parties involved and other relevant information.

Please email SingCERT at singcert@csa.gov.sg. When sending sensitive information, please use encryption. SingCERT's public PGP key is available on the Download PGP Key page.

We will keep any information specific to your site confidential unless you authorise SingCERT to release that information.

What is the Vulnerability Disclosure Policy (VDP) about?
The VDP provides guidelines and sets out in detail on how Informers, System Owners and SingCERT, can contribute to the process of Responsible Vulnerability Disclosure (RVD).

This policy is neither a bug-bounty program, nor a program that provides permission for researchers to actively test the systems/products of organisations in Singapore.

The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws).
What is Responsible Vulnerability Disclosure (RVD)?
RVD is a process where the System Owner is informed of a cybersecurity vulnerability in the product or system, in order that they may mitigate or eradicate the risk that the vulnerability may be exploited, and minimise or prevent potential harms that may result.

As part of RVD, Informers should report the vulnerability directly to the System Owner(s) for their assessment and verification, and provide them time to fix the vulnerability. Do not exploit the vulnerability or download any sensitive data.
What should I do if I think I discovered a vulnerability in a system/product?
Informers should report the vulnerability directly to the System Owner(s) for their assessment and verification, and provide them time to fix the vulnerability. Do not exploit the vulnerability or download any sensitive data.

If Informers have been unsuccessful in doing so, they can report the vulnerability to SingCERT. SingCERT will make reasonable effort to contact the System Owner(s). Where necessary and appropriate, we may put the Informer and System Owner(s) directly in touch, to enable better communication and coordination.
I discovered a vulnerability pertaining to a Singapore government-related system. Who should I report it to?
For reporting of vulnerabilities in any Singapore government-related systems or websites, please refer to Govtech’s Vulnerability Disclosure Programme at: https://www.tech.gov.sg/report_vulnerability
I discovered a vulnerability pertaining to a system/company that is not based in Singapore. What should I do?
Informers should similarly report the vulnerability directly to the System Owner(s) for their assessment and verification. If they are unable to contact the System Owner(s), Informers may wish to report it to the relevant authority (e.g. the CERT) of the country. Alternatively, they may report it to SingCERT and SingCERT may contact the relevant CERT, where necessary and appropriate.

 

For Informers

Does the VDP permit ethical hacking on organisations?
Should Informers want to conduct such activity, they should seek the permission from the System Owner(s) before performing any actions.

The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws). Informers are reminded to abide by all applicable laws, including when taking any steps to identify or assess the vulnerability.
Does the VDP authorise or permit me to take any actions to find vulnerabilities in systems?
The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws). Informers are reminded to abide by all applicable laws, including when taking any steps to identify or assess the vulnerability.

Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially actions that may adversely affect System Owner(s) and users. Informers should be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security.
Are there actions that I can take to confirm a possible vulnerability?
Where possible, the System Owner(s) permission should be obtained before performing any actions, especially actions that may adversely affect the System Owner(s) and users. Informers should be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security. 

Informers should comply with all applicable Singapore and foreign laws. This includes complying with the Singapore Computer Misuse Act (“CMA”) and refraining from actions that may constitute a breach of the CMA. You are advised to seek and obtain professional legal advice if you have any doubt about the scope and application of any law.

Informers can refer to the VDP for some illustrative, non-exhaustive examples of actions which should NOT be taken in the process of confirming or assessing a possible vulnerability.
How do I know if my actions may have breached the Computer Misuse Act (“CMA”)?
The VDP provides a list of illustrative, non-exhaustive examples of actions which Informers should refrain from, that may constitute a breach of the CMA. Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially those that may adversely affect System Owner(s) and users.  
Will I get into trouble for breaching any law in the process of discovering or confirming a vulnerability?
System Owner(s) may file a police report to investigate any actions that may constitute a breach of the Computer Misuse Act or any relevant laws.  Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially actions that may adversely affect System Owner(s) and users. 

Informers can refer to the VDP for some illustrative, non-exhaustive examples of actions which should NOT be taken in the process of confirming or assessing a possible vulnerability.
Can I stay anonymous in the process of reporting a vulnerability?

SingCERT will act as a conduit to coordinate between the Informer and the System Owner(s). Where necessary and appropriate, SingCERT may put the Informer and the System Owner(s) directly in touch, or provide the Informer’s name and contact details to the System Owner(s). 

Would I obtain a reward for reporting a vulnerability?
SingCERT does not provide rewards or incentives such as a ‘bug bounty’. However, some System Owner(s) may have their own Vulnerability Disclosure Policy or Programme that may offer rewards for the reporting of vulnerabilities within their systems. 
If I want to disclose the vulnerability information publicly, do I have to wait 90 days after informing the System Owner(s)?

SingCERT recommends that Informers work with System Owner(s) to resolve any validated vulnerability within generally 90 days to allow time for System Owner(s) to remediate the vulnerability.  Informers may also work with System Owner(s) on any timeline that is agreed upon between them.

I would like to have a Common Vulnerabilities and Exposures Identifier (CVE ID) assigned to the vulnerability which I have reported. How do I go about doing that?
To request for a CVE ID, please visit Mitre’s CVE website for more details on finding the CVE Numbering Authority (CNA) whose scope includes the product that is affected by the possible vulnerability: https://www.cve.org/ResourcesSupport/ReportRequest

If the product/system is not covered by a CNA, Mitre’s CVE website provides details on contacting the appropriate CNA of last resort (CNA-LR).

 

For System Owners

What should I do if I receive a vulnerability report?

System Owner(s) should assess and verify the information regarding the suspected vulnerability, including the potential impact of exploitation. System Owner(s) should also contact the Informer if more information is required, and work with the Informer in providing a simultaneous public disclosure, if appropriate. 

If the suspected vulnerability is verified, System Owner(s) should work towards developing a patch or any other mitigation measures, and ensure that product/service users are aware of the vulnerability and the appropriate mitigation measures. 

We also request that System Owner(s) update SingCERT and the Informer of its assessment, findings and status on the response to the vulnerability.

I received an email from SingCERT about a vulnerability in the system. How do I verify if this email is legitimate?

To verify the legitimacy of an email from SingCERT, please email singcert@csa.gov.sg to enquire.

I suspect that the Informer may have breached the Computer Misuse Act and exploited my systems (e.g. installed virus or malicious software) in discovering the vulnerability. What should I do?

The VDP contains a list of illustrative, non-exhaustive examples of actions that Informers should not take as part of their vulnerability assessment process (see para 3 of the responsible disclosure guidelines). If there is evidence that the Informer may have taken actions such as those listed, System Owner(s) may wish to report the findings to the relevant authorities for their investigations.