START HACKING | LOG IN 

GovTech VDP
The Government Technology Agency of Singapore (GovTech) works with public
agencies to develop and deliver secure digital services

http://tech.gov.sg

Reports resolved Assets in scope

364 -
Vulnerability Disclosure Program
Launched on Oct 2019

Managed by HackerOne

Policy Hacktivity Thanks Updates (1)

Policy

Aim
As part of the Singapore Government Technology Agency’s (“GovTech”) ongoing efforts to ensure
the cyber-security of Government internet-accessible applications used by the citizens, business
and public sector employees, GovTech has established this vulnerability disclosure programme
(“VDP”) to encourage the responsible reporting of suspected vulnerabilities or weaknesses in IT
services, systems, resources and/or processes which may potentially affect Government
internet-accessible applications. We look forward to working with the cyber-security research
community and members of the public to keep digital services safe for all users.

Response Targets
Govtech will make best efforts to meet the following response targets for hackers participating in
our program:

Time to first response (from report submit) - 1 business day

Time to triage (from report submit) - 1 business day

Assets in-scope
The VDP extends to suspected cyber-security vulnerabilities which may potentially affect one or
more of the following digital services –

All Government Internet-accessible web-based and mobile applications used by citizens,

businesses and public sector employees (e.g. portals/websites like "gov.sg", "ns.sg",
"onemotoring.com.sg", "youth.sg", "tech.gov.sg", "pacgov.agd.gov.sg", and mobile applications
like "SingPass Mobile", "SGSecure", "DWP MObile"); but exclude third-party applications such as
social media platforms (e.g. Facebook, Instagram).

Guidelines for determining in-scope domains

Domains where GovTech is the registrar will be considered in-scope for the VDP. You can utilise
"whois" tools such as https://www.whois.com/  to determine the registrar of the domains
that you are testing on
Domains in *.moe.edu.sg will be considered in-scope for the VDP
Note that domains belonging to local universities (eg. NUS/NTU/SMU.edu.sg) and private
schools in Singapore are not owned by GovTech and are not considered in-scope.

Assets Out-of-Scope
The VDP does not extend to digital services and applications which are not described above, nor IT
systems and services operated by non-public sector entities or organisations. If you are in any
doubt as to whether this VDP extends to any particular digital service, please contact us at
vulnerability_disclosure@tech.gov.sg.

Conduct Rules
1. The VDP does not authorise or permit the taking of any action which may contravene applicable
laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to
exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer
program or data) are prohibited.

2. Expected Conduct. You are expected to conduct yourself responsibly at all times and as a non-
exhaustive guide to permitted conduct, you should refer to the list below. If you are in any doubt
about any proposed course of conduct, please contact us at
vulnerability_disclosure@tech.gov.sg.

Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding
users from damage, harm or loss.
Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you
should not attempt to test, reproduce or verify the suspected vulnerability, or take any action
which may cause interruption or degradation of digital services).
Conduct yourself in accordance with applicable laws and regulations at all times. If you have
any doubt about such laws or regulations, please seek and obtain professional legal advice.
 Under no circumstances should you attempt to exfiltrate any computer data or publish
details of any suspected vulnerability.
Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable
by submitting a report on this vulnerability disclosure program or contact us directly via email
at vulnerability_disclosure@tech.gov.sg.
Provide adequate information in the suspected vulnerability report so that we may work with
you on validating the suspected vulnerability, including these details (where available):
Description of the suspected vulnerability.
IP address and/or URL of the subject digital services.
Configuration and version of the subject software.
Description of the circumstances, including date(s) and time(s), leading to your reporting of
the suspected vulnerability.
Description of the reason(s) why you believe the suspected vulnerability may impact the
subject digital services and the extent of such suspected potential impact (e.g. describe
how you believe the suspected vulnerability might potentially operate).

Where testing for a vulnerability in any "Contact Us", e-service or electronic forms,
researchers are to prefix any text input with “VDP” when submitting such forms.
Researchers should avoid submitting an excessive number of forms or running automated
scans against these endpoints/submission forms. For the avoidance of doubt, the use of the
prefix is not required in the submission of a report via HackerOne.

3. Prohibited Conduct. You are expected to conduct yourself responsibly at all times and as a non-
exhaustive guide to prohibited conduct, you should refer to the list below. If you are in any doubt
about any proposed course of conduct, please contact us at
vulnerability_disclosure@tech.gov.sg.

Act in any way which may contravene applicable laws and regulations (e.g. the Computer
Misuse Act).
Publish or publicly disclose any suspected vulnerability to any third party save for us and our
disclosure partner before it is resolved as malicious actors may exploit the suspected
vulnerability to cause damage, harm or loss to individuals and organisations.
Deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks
on physical security, social engineering, denial of service, brute force attacks).
Exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access,
copy, create, delete, modify, manipulate or download any data or programme, build system
backdoor(s), modify system configuration(s), facilitate or share system access).

4. Excluded Issues. Specific issues are excluded from this VDP as they have limited security impact
and/or are known issues. These excluded issues are:

Violations of secure design principles which are not part of exploitable vulnerabilities.
 Missing SPF/DKIM/DMARC entries.
CSRF on forms available to anonymous users (e.g. contact forms and logout).
HTTP/TLS configuration issues without demonstrable impact (e.g. TLS configuration issues
such as BEAST, BREACH, renegotiation attacks, insecure cipher suites; missing HTTP
security headers; lack of Secure or HTTPOnly cookie flags).
Non-sensitive information disclosure (e.g. server versions, software stack) on error message
pages.
Presence or absence of application/browser autocomplete or save-password flags.
Username enumeration on login or forgot password pages.
Reports about missing rate limiting where other mitigations exist (e.g. brute force attacks
against login pages already protected by multi-factor authentication).
Clickjacking attacks which do not lead to any sensitive state stages.
HTTP OPTIONS/TRACE methods enabled.

GovTech’s Role
1. As part of the VDP, GovTech will -

Act as a coordinator between you and the relevant public sector agency or agencies
(“Stakeholders”) which may possibly be affected by the suspected vulnerability.
Acknowledge receipt of your suspected vulnerability report and notify the Stakeholders of
the suspected vulnerability within generally 3 business days from our receipt of your report.
Work with you and the Stakeholders to resolve any validated vulnerability within generally 90
business days from our receipt of your report.
Upon the validation of your suspected vulnerability report and at our sole discretion, accord
appropriate recognition to you for your contribution(s) in reporting and/or resolving the
validated vulnerability.

2. Please note that GovTech does not and will not in any way -

Accord or provide you with any kind of exemption, immunity, indemnity or shield from civil or
criminal liability (if any) under applicable laws and regulations.
Be liable for any expense, damage or loss of any kind which you may incur due to any action
taken or not taken by us in relation to any suspected vulnerability you may report.
Accept or assume any responsibility for the contents of any suspected vulnerability report
submitted by you, nor shall our acknowledgment or processing of such report constitute any
kind of acceptance or endorsement of the contents therein.
Be obliged to consult you for any media or public statement that we and/or any Stakeholders
may decide to publish or release in relation to the suspected or validated vulnerability.
Provide you with any cash reward or financial incentive of any kind for the detection and/or
resolution of the validated vulnerability.
 Last updated on November 5, 2020. View changes

Response Efficiency

5 hrs
Average time to first response

3 days
Average time to triage

2 months
Average time to resolution

94% of reports
Meet response standards
Based on last 90 days

Program Statistics
Updated Daily

189
Reports received in the last 90 days

3 days ago
Last report resolved

364
Reports resolved

147
Hackers thanked

Top hackers

x4bx54
Reputation:406

spaceraccoon
Reputation:265
 p4fg
Reputation:170

shivadagger
Reputation:135

stevv
Reputation:126

All Hackers

© Directory Security
HackerOne Leaderboard Blog
Docs Support
Disclosure Guidelines Press
Privacy Terms
