Frequently Asked Questions

Published on 30 Aug 2022

Updated on 30 Aug 2022

General
+

The VDP provides guidelines and sets out in detail on how Informers, System Owners and SingCERT, can contribute to the process of Responsible Vulnerability Disclosure (RVD).

This policy is neither a bug-bounty program, nor a program that provides permission for researchers to actively test the systems/products of organisations in Singapore. 

The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws).

+

RVD is a process where the System Owner is informed of a cybersecurity vulnerability in the product or system, in order that they may mitigate or eradicate the risk that the vulnerability may be exploited, and minimise or prevent potential harms that may result.

As part of RVD, Informers should report the vulnerability directly to the System Owner(s) for their assessment and verification, and provide them time to fix the vulnerability. Do not exploit the vulnerability or download any sensitive data.

+

Informers should report the vulnerability directly to the System Owner(s) for their assessment and verification, and provide them time to fix the vulnerability. Do not exploit the vulnerability or download any sensitive data.

If Informers have been unsuccessful in doing so, they can report the vulnerability to SingCERT. SingCERT will make reasonable effort to contact the System Owner(s). Where necessary and appropriate, we may put the Informer and System Owner(s) directly in touch, to enable better communication and coordination.

+

For reporting of vulnerabilities in any Singapore government-related systems or websites, please refer to Govtech’s Vulnerability Disclosure Programme at: https://www.tech.gov.sg/report_vulnerability

+

Informers should similarly report the vulnerability directly to the System Owner(s) for their assessment and verification. If they are unable to contact the System Owner(s), Informers may wish to report it to the relevant authority (e.g. the CERT) of the country. Alternatively, they may report it to SingCERT and SingCERT may contact the relevant CERT, where necessary and appropriate.


For Informers
+

Should Informers want to conduct such activity, they should seek the permission from the System Owner(s) before performing any actions.

The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws). Informers are reminded to abide by all applicable laws, including when taking any steps to identify or assess the vulnerability. 

+

The VDP does not authorise or permit the taking of any action which may contravene any applicable laws (including the Singapore Computer Misuse Act 1993, Personal Data Protection Act 2012, or any applicable foreign laws). Informers are reminded to abide by all applicable laws, including when taking any steps to identify or assess the vulnerability.

Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially actions that may adversely affect System Owner(s) and users. Informers should be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security.

+

Where possible, the System Owner(s) permission should be obtained before performing any actions, especially actions that may adversely affect the System Owner(s) and users. Informers should be deliberate and take due care when performing actions pertaining to assessing a vulnerability. This includes ensuring that the actions do not compromise the availability of systems and services, and avoiding actions that are not strictly necessary for the purposes of assessing, testing, or evaluating the security of the systems and services in order to ensure or safeguard their security. 

Informers should comply with all applicable Singapore and foreign laws. This includes complying with the Singapore Computer Misuse Act (“CMA”) and refraining from actions that may constitute a breach of the CMA. You are advised to seek and obtain professional legal advice if you have any doubt about the scope and application of any law.

Informers can refer to the VDP for some illustrative, non-exhaustive examples of actions which should NOT be taken in the process of confirming or assessing a possible vulnerability.

+

The VDP provides a list of illustrative, non-exhaustive examples of actions which Informers should refrain from, that may constitute a breach of the CMA. Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially those that may adversely affect System Owner(s) and users.  

+

System Owner(s) may file a police report to investigate any actions that may constitute a breach of the Computer Misuse Act or any relevant laws.  Where possible, permission from the System Owner(s) should be obtained before performing any actions, especially actions that may adversely affect System Owner(s) and users. 

Informers can refer to the VDP for some illustrative, non-exhaustive examples of actions which should NOT be taken in the process of confirming or assessing a possible vulnerability.

+

SingCERT will act as a conduit to coordinate between the Informer and the System Owner(s). Where necessary and appropriate, SingCERT may put the Informer and the System Owner(s) directly in touch, or provide the Informer’s name and contact details to the System Owner(s). 

+

SingCERT does not provide rewards or incentives such as a ‘bug bounty’. However, some System Owner(s) may have their own Vulnerability Disclosure Policy or Programme that may offer rewards for the reporting of vulnerabilities within their systems. 

+

SingCERT recommends that Informers work with System Owner(s) to resolve any validated vulnerability within generally 90 days to allow time for System Owner(s) to remediate the vulnerability.  Informers may also work with System Owner(s) on any timeline that is agreed upon between them. 

+

To request for a CVE ID, please visit Mitre’s CVE website for more details on finding the CVE Numbering Authority (CNA) whose scope includes the product that is affected by the possible vulnerability: https://www.cve.org/ResourcesSupport/ReportRequest

If the product/system is not covered by a CNA, Mitre’s CVE website provides details on contacting the appropriate CNA of last resort (CNA-LR).


For System Owners
+

System Owner(s) should assess and verify the information regarding the suspected vulnerability, including the potential impact of exploitation. System Owner(s) should also contact the Informer if more information is required, and work with the Informer in providing a simultaneous public disclosure, if appropriate. 

If the suspected vulnerability is verified, System Owner(s) should work towards developing a patch or any other mitigation measures, and ensure that product/service users are aware of the vulnerability and the appropriate mitigation measures. 

We also request that System Owner(s) update SingCERT and the Informer of its assessment, findings and status on the response to the vulnerability.

+

To verify the legitimacy of an email from SingCERT, please email singcert@csa.gov.sg to enquire.

+

The VDP contains a list of illustrative, non-exhaustive examples of actions that Informers should not take as part of their vulnerability assessment process (see para 3 of the responsible disclosure guidelines). If there is evidence that the Informer may have taken actions such as those listed, System Owner(s) may wish to report the findings to the relevant authorities for their investigations.