GovTech - Vulnerability Disclosure Programme
GovTech is the lead agency driving Singapore's Smart Nation initiative and public sector digital transformation. We harness the power of technology to make lives better for citizens, businesses, international audiences and the public service sector.
Program
Hacktivity
This program will not provide any cash reward or financial incentive of any kind for the detection and/or resolution of the validated vulnerability.
Aim
As part of the Government’s ongoing efforts to strengthen the security posture of the ICT systems and digital services used by citizens, businesses and public sector employees, GovTech has established this vulnerability disclosure programme (“VDP”) to encourage the responsible reporting of potential vulnerabilities in IT services, systems, resources and/or processes which may affect Government internet-accessible applications. We look forward to working with the cybersecurity research community and members of the public to keep digital services safe for all users.
Response Targets
GovTech will make best efforts to meet the following response targets for hackers participating in our program:
- Time to first response (from report submit) - 1 business day
- Time to triage (from report submit) - 1 business day
Assets in-scope
The VDP extends to suspected vulnerabilities in IT services, systems, resources and/or processes which may potentially affect one or more of the following digital services:
- All Government Internet-accessible web-based, mobile, and IoT applications used by citizens, businesses and public sector employees (e.g. portals/websites like "gov.sg", "ns.sg", "tech.gov.sg", and mobile applications like "SingPass Mobile", "SGSecure", “Workpal”, "DWP Mobile"); but exclude third-party applications such as social media platforms (e.g. Facebook, Instagram).
Guidelines for determining in-scope domains
- Domains where GovTech is the registrar will be considered in-scope for the VDP. You can utilise "whois" tools such as https://who.is or https://whois.domaintools.com/ to determine the registrar of the domains that you are testing on, or perform a search using https://search.censys.io/ to identify the Singapore Ministries that the website is associated with.
For example:
Conduct Rules
The VDP does not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer program or data) are prohibited.
Expected Conduct
You are expected to conduct yourself responsibly at all times and as a non-exhaustive guide to permitted conduct, you should refer to the list below. If you are in any doubt about any proposed course of conduct, please contact us at https://go.gov.sg/reportvulnerability.
- Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss.
- Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption or degradation of digital services).
- Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek and obtain professional legal advice. Under no circumstances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability. You shall delete all system or user data that you have obtained in the course of testing after your report has been closed.
- Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable by submitting a report on this vulnerability disclosure program.
- Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability, including these details (where available):
- Description of the suspected vulnerability.
- IP address and/or URL of the subject digital services.
- Configuration and version of the subject software.
- Description of the circumstances, including date(s) and time(s), leading to your reporting of the suspected vulnerability.
- Description of the reason(s) why you believe the suspected vulnerability may impact the subject digital services and the extent of such suspected potential impact (e.g. describe how you believe the suspected vulnerability might potentially operate).
- Where testing for a vulnerability in any "Contact Us", e-service or electronic forms, researchers are to prefix any text input with “VDP” when submitting such forms. Researchers should avoid submitting an excessive number of forms or running automated scans against these endpoints/submission forms. For the avoidance of doubt, the use of the prefix is not required in the submission of a report via YesWeHack.
Prohibited Conduct
You are expected to conduct yourself responsibly at all times and as a non-exhaustive guide to prohibited conduct, you should refer to the list below. If you are in any doubt about any proposed course of conduct, please contact us at https://go.gov.sg/reportvulnerability.
- Act in any way which may contravene applicable laws and regulations (e.g. the Computer Misuse Act).
- Publish or publicly disclose any suspected vulnerability to any third party except for us and our disclosure partner before it is resolved as malicious actors may exploit the suspected vulnerability to cause damage, harm or loss to individuals and organisations.
- Deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks on physical security, social engineering, denial of service, brute force attacks).
- Exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access, copy, create, delete, modify, manipulate or download any data or programme, build system backdoor(s), modify system configuration(s), facilitate or share system access).
Excluded Issues
Specific issues are excluded from this VDP as they have limited security impact and/or are known issues. These excluded issues are:
- Violations of secure design principles which are not part of exploitable vulnerabilities.
- CSRF on forms available to anonymous users (e.g. contact forms and logout).
- HTTP/TLS configuration issues without demonstrable impact (e.g. TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites; missing HTTP security headers; lack of Secure or HTTPOnly cookie flags).
- Presence or absence of application/browser autocomplete or save-password flags.
- Username enumeration on login or forgot password pages.
- Reports about missing rate limiting where other mitigations exist (e.g. brute force attacks against login pages already protected by multi-factor authentication).
- Clickjacking attacks which do not lead to any sensitive state changes.
- HTTP OPTIONS/TRACE methods enabled.
Regarding YesWeHack's Platform Standards
- GovTech is aware of YesWeHack's Detailed Platform Standards
- In our commitment to continuous improvement, we have shared feedback to YesWeHack that may result in enhanced specificity and detail of the existing standards. Whilst our feedback is being considered, each vulnerability report will continue to be assessed individually, with our team conducting comprehensive reviews as standard practice.
GovTech’s Role
-
As part of the VDP, GovTech will:
- Act as a coordinator between you and the relevant public sector agency or agencies (“Stakeholders”) which may possibly be affected by the suspected vulnerability.
- Acknowledge receipt of your suspected vulnerability report and notify the Stakeholders of the suspected vulnerability within generally 3 business days from our receipt of your report.
- Work with you and the Stakeholders to resolve any validated vulnerability within generally 90 business days from our receipt of your report.
- Upon the validation of your suspected vulnerability report and at our sole discretion, accord appropriate recognition to you for your contribution(s) in reporting and/or resolving the validated vulnerability.
-
Please note that GovTech does not and will not in any way
- Accord or provide you with any kind of exemption, immunity, indemnity or shield from civil or criminal liability (if any) under applicable laws and regulations.
- Be liable for any expense, damage or loss of any kind which you may incur due to any action taken or not taken by us in relation to any suspected vulnerability you may report.
- Accept or assume any responsibility for the contents of any suspected vulnerability report submitted by you, nor shall our acknowledgment or processing of such report constitute any kind of acceptance or endorsement of the contents therein.
- Be obliged to consult you for any media or public statement that we and/or any Stakeholders may decide to publish or release in relation to the suspected or validated vulnerability.
- Provide you with any cash reward or financial incentive of any kind for the detection and/or resolution of the validated vulnerability.
GovTech VDP Swags
Digital Badge
You can receive Credly badges when you discover valid vulnerabilities and report them to our VDP programme. These badges can be displayed on your Credly profile page or to your social media pages to showcase your skills/achievements and your contribution towards keeping Singapore cybersafe.
All badges feature Jaga the cybersecurity hedgehog (our mascot!) and are from two categories. The first category of badges is based on the categories of vulnerabilities reported, and the second category is based on accumulation of the number of vulnerabilities you have reported.
Badges (Vulnerability Categories)
Badges (Accumulation of no. of vulnerabilities reported)
The description of each of the badges can be found here: VDP_Digital_Badge.pdf
How to collect your badges
- Report a valid cybersecurity vulnerability to our VDP programme.
- Once the report has been validated by our team (please allow 7 working days for processing), an email invitation to claim the badge will be sent to your email. Please indicate it inside your report.
- You will need to register for a Credly account to manage the badges and your Credly profile page.
- The badges can also be published on your Facebook, Twitter, or LinkedIn account to share your achievement and contribution towards keeping Singapore cybersafe.
- Each badge has a validity period of 3 years.
- Collect them all!
Alternatively
You can submit your report anonymously using our VDP page:
https://go.gov.sg/report-vdp-anonymously
Scopes
Scope | Type | Asset value |
---|---|---|
*.gov.sg | other | |
Domains where GovTech is the registrar | other | |
Out of scopes
- All domains or subdomains not listed in the above list of 'Scopes'
Vulnerability types
Non-qualifying vulnerabilities
- Violations of secure design principles which are not part of exploitable vulnerabilities.
- CSRF on forms available to anonymous users (e.g. contact forms and logout).
- HTTP/TLS configuration issues without demonstrable impact (e.g. TLS configuration issues such as BEAST, BREACH, renegotiation attacks, insecure cipher suites; missing HTTP security headers; lack of Secure or HTTPOnly cookie flags).
- Presence or absence of application/browser autocomplete or save-password flags.
- Username enumeration on login or forgot password pages.
- Reports about missing rate limiting where other mitigations exist (e.g. brute force attacks against login pages already protected by multi-factor authentication).
- Clickjacking attacks which do not lead to any sensitive state changes.
- HTTP OPTIONS/TRACE methods enabled.
- Mislabelling of non-sensitive documents