Cyber Security Vulnerability Reporting (CSVR) Guide


The Info-communications Media Development Authority (“IMDA”) works closely with infocomm and media companies to ensure that the services they provide to the public are adequately secured against cyber threats. However, given the myriad of infocomm software solutions and applications, it is not possible to totally eliminate all cyber security vulnerabilities despite best efforts.

IMDA recognises that the cyber security researcher (“Researcher”) community regularly makes valuable contributions through making responsible disclosures to enhance the security of public-facing applications and networks of service providers, leading to safer Internet user experience. 


This Cyber Security Vulnerability Reporting Guide (“CSVR Guide”) is intended for Researchers to report to IMDA cyber security vulnerabilities that they have detected in the public-facing applications and networks of Telecommunication service providers such as the Internet Access, Mobile and Fixed-line voice/data service providers, Broadcast, Print (Newspaper) and Postal service providers operating in Singapore (“Relevant Organisations”).

When a Researcher detects any such vulnerabilities, we would like to encourage the Researcher to report the discovery as soon as possible. Researchers may visit the website of the Relevant Organisation to see if it has a vulnerability reporting framework, and if so, submit the vulnerability report directly to the Relevant Organisation.

Alternatively, Researchers may submit the vulnerability report to IMDA so that we can work with the Relevant Organisation to address the detected vulnerabilities before they are exploited by malicious actors and cause harm to end users. By submitting a vulnerability report to IMDA, the Researcher agrees to the terms stated in this CSRV Guide.

DOs and DON'Ts for Researchers

Please DO:

  1. email your vulnerability report to;

  2. prefix the subject header of your email with [CSVR];

  3. encrypt your email using our PGP key to protect its confidentiality;

  4. submit the vulnerability report to us as soon as possible;

  5. provide sufficient information about the detected vulnerabilities so that we can reproduce the issue, such as the following (where relevant or available):
    • description of the vulnerability

    • IP address of the affected system

    • URL of the affected system

    • Date & time of access (inclusive of timezone)

    • product, version and configuration of the software containing the bug

    • step-by-step instructions to reproduce the issue

    • proof-of-concept

    • impact of the issue

    • suggested mitigation or remediation actions (if any);

  6. provide your name and email for us to contact you if we need clarifications; and

  7. let us know the name and email of anyone else that you have informed of the detected vulnerabilities.

Please DO NOT:

  1. use disruptive or destructive means to find vulnerabilities, including attacks on physical security, social engineering, denial of service, spam, brute force, or third party hacking/scanner applications to target websites;

  2. take advantage of the detected vulnerabilities, for example, by downloading more data than is necessary to demonstrate the vulnerabilities, building backdoors, copying/modifying/deleting any data, or compromising the personal data of other individuals;
  3. make changes to the system;
  4. gain access to the system repeatedly or share access with others; or
  5. publicly disclose the detected vulnerabilities before they are fixed as malicious actors might exploit them and cause harm to the Relevant Organisation and its users.

What IMDA Will Do 

IMDA will:

  1. act as coordinator between you and the Relevant Organisation that owns/operates the affected public-facing application or network; 
  2. endeavor to acknowledge receipt of your vulnerability report and notify the Relevant Organisation of the detected vulnerability within 10 business days from us receiving your report;
  3. endeavor to work, within 90 days from us receiving your report, with the Relevant Organisation to complete the resolution of valid vulnerabilities; 
  4. handle your report in strict confidence and not disclose your personal details to the Relevant Organisation or any third parties without your permission, unless required by law; 
  5. if you request, endeavor to work with you should you intend to publicly disclose the detected vulnerabilities after their resolution; 
  6. discuss with you for instances where we think that public disclosure of the detected vulnerabilities is undesirable in the public interest; and 
  7. give recognition to the Researcher for contributions made, at our discretion.

Where circumstances warrant, we reserve the right, at any point in time, to:

  1. reject, redirect or prioritise any vulnerability reports received; or
  2. cease to act as coordinator between you and the Relevant Organisation

What IMDA Will NOT Do

IMDA will NOT:

  1. be liable to you for loss or damage of any kind caused by any action that is taken or not taken by IMDA in relation to this CSRV Guide;
  2. assume any responsibility for the information provided by you nor shall our acceptance of your vulnerability report constitute any endorsement, verification or recommendation by us of the information therein;
  3. provide any protection or immunity from civil or criminal liability; or
  4. be obliged to consult you for any public statements that we and/or the Relevant Organisation considers necessary to release.

Nothing in this guide shall create any relationship of agency, partnership, association or joint venture between you or the Relevant Organisation and IMDA.

IMDA appreciates the efforts of Researchers in reporting cyber security vulnerabilities affecting infocomm and media services to us. We take all vulnerability reports seriously and will endeavor to ensure that each vulnerability report is investigated and that appropriate steps are taken to mitigate risk and remediate valid vulnerabilities.

Our PGP key:

Version: BCPG v1.47




Last updated on: 06 Apr 2021

Explore more