Disclosure Policy

Disclosure Policy on security vulnerabilities discovered by Government Technology Agency’s Cyber Security Group (CSG)

For reporting vulnerabilities related to Singapore Government internet-accessible applications, please refer to https://www.tech.gov.sg/report_vulnerability.

As part of the Government Technology Agency’s (“GovTech”) ongoing efforts to ensure the cyber-security of applications, businesses and public sector employees, GovTech will engage in responsible vulnerability disclosure for third-party products.

Once a vulnerability in a third-party product has been discovered, GovTech will:

1. Attempt to notify the vendor as soon as practicable via its public vulnerability disclosure contact email or form;
2. Provide adequate information in the suspected vulnerability report;
3. Assign a Common Vulnerabilities and Exposures ID (CVE ID) to the vulnerability if it is not covered by another CVE Numbering Authority; and
4. Publish the CVE and other relevant information on GovTech CSG’s Advisories page and the CVE List after the vulnerability has been patched/mitigated or after 90 days has passed from the time that the vendor is notified of the vulnerability, whichever is earlier.

GovTech will attempt to work with any vendor on reasonable adjustments to the above timeline if there are extenuating circumstances necessitating such adjustments.