Report Vulnerability
Vulnerability Disclosure Programme
GovTech has established the Vulnerability Disclosure Programme (VDP) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT services, systems, resources and/or processes which may potentially affect government internet-accessible applications.
This is part of the Government Technology Agency’s (GovTech) ongoing efforts to ensure the cybersecurity of government internet-accessible applications used by citizens, businesses and public sector employees. We look forward to working with the cybersecurity research community and members of the public to keep our services safe for all users.
Please note that the VDP does not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g., Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g., gaining unauthorised access to any computer program or data) are prohibited.
Code of conduct for VDP participants
a. Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss
b. Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption to or degradation of any services)
c. Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek professional legal advice. Under no circumstances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability
d. Upon detection of a suspected vulnerability, please notify us immediately or as soon as possible by submitting a report through the “Click to Report Vulnerability” button below
e. Where applicable, provide your name, email address and mobile number in the suspected vulnerability report so that we may contact you for clarifications. Include the name(s) and email(s) of other person(s) to whom you may have disclosed the suspected vulnerability
f. Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability. Please include these details (where available):
- Description of the suspected vulnerability
- IP address and/or URL of the subject service
- Configuration and version of the subject software
- Description of the circumstances, including date(s) and time(s), leading to your reporting of the suspected vulnerability
- Description of the reason(s) why you believe the suspected vulnerability may impact the subject service and the extent of such suspected potential impact (e.g. describe how you believe the suspected vulnerability might potentially operate)