The Info-communications Media Development Authority (“IMDA”) works closely with infocomm and media companies to ensure that the services they provide to the public are adequately secured against cyber threats. However, given the myriad of infocomm software solutions and applications, it is not possible to totally eliminate all cyber security vulnerabilities despite best efforts.
IMDA recognises that the cyber security researcher (“Researcher”) community regularly makes valuable contributions through making responsible disclosures to enhance the security of public-facing applications and networks of service providers, leading to safer Internet user experience.
This Cyber Security Vulnerability Reporting Guide (“CSVR Guide”) is intended for Researchers to report to IMDA cyber security vulnerabilities that they have detected in the public-facing applications and networks of Telecommunication service providers such as the Internet Access, Mobile and Fixed-line voice/data service providers, Broadcast, Print (Newspaper) and Postal service providers operating in Singapore (“Relevant Organisations”).
When a Researcher detects any such vulnerabilities, we would like to encourage the Researcher to report the discovery as soon as possible. Researchers may visit the website of the Relevant Organisation to see if it has a vulnerability reporting framework, and if so, submit the vulnerability report directly to the Relevant Organisation.
Alternatively, Researchers may submit the vulnerability report to IMDA so that we can work with the Relevant Organisation to address the detected vulnerabilities before they are exploited by malicious actors and cause harm to end users. By submitting a vulnerability report to IMDA, the Researcher agrees to the terms stated in this CSRV Guide.
DOs and DON'Ts for Researchers
- email your vulnerability report to ISG_CERT@imda.gov.sg;
- prefix the subject header of your email with [CSVR];
- encrypt your email using our PGP key to protect its confidentiality;
- submit the vulnerability report to us as soon as possible;
- provide sufficient information about the detected vulnerabilities so that we can reproduce the issue, such as the following (where relevant or available):
- description of the vulnerability
- IP address of the affected system
- URL of the affected system
- Date & time of access (inclusive of timezone)
- product, version and configuration of the software containing the bug
- step-by-step instructions to reproduce the issue
- impact of the issue
- suggested mitigation or remediation actions (if any);
- provide your name and email for us to contact you if we need clarifications; and
- let us know the name and email of anyone else that you have informed of the detected vulnerabilities.
Please DO NOT:
- use disruptive or destructive means to find vulnerabilities, including attacks on physical security, social engineering, denial of service, spam, brute force, or third party hacking/scanner applications to target websites;
- take advantage of the detected vulnerabilities, for example, by downloading more data than is necessary to demonstrate the vulnerabilities, building backdoors, copying/modifying/deleting any data, or compromising the personal data of other individuals;
- make changes to the system;
- gain access to the system repeatedly or share access with others; or
- publicly disclose the detected vulnerabilities before they are fixed as malicious actors might exploit them and cause harm to the Relevant Organisation and its users.
What IMDA Will Do
- act as coordinator between you and the Relevant Organisation that owns/operates the affected public-facing application or network;
- endeavor to acknowledge receipt of your vulnerability report and notify the Relevant Organisation of the detected vulnerability within 10 business days from us receiving your report;
- endeavor to work, within 90 days from us receiving your report, with the Relevant Organisation to complete the resolution of valid vulnerabilities;
- handle your report in strict confidence and not disclose your personal details to the Relevant Organisation or any third parties without your permission, unless required by law;
- if you request, endeavor to work with you should you intend to publicly disclose the detected vulnerabilities after their resolution;
- discuss with you for instances where we think that public disclosure of the detected vulnerabilities is undesirable in the public interest; and
- give recognition to the Researcher for contributions made, at our discretion.
Where circumstances warrant, we reserve the right, at any point in time, to:
- reject, redirect or prioritise any vulnerability reports received; or
- cease to act as coordinator between you and the Relevant Organisation
What IMDA Will NOT Do
IMDA will NOT:
- be liable to you for loss or damage of any kind caused by any action that is taken or not taken by IMDA in relation to this CSRV Guide;
- assume any responsibility for the information provided by you nor shall our acceptance of your vulnerability report constitute any endorsement, verification or recommendation by us of the information therein;
- provide any protection or immunity from civil or criminal liability; or
- be obliged to consult you for any public statements that we and/or the Relevant Organisation considers necessary to release.
Nothing in this guide shall create any relationship of agency, partnership, association or joint venture between you or the Relevant Organisation and IMDA.
IMDA appreciates the efforts of Researchers in reporting cyber security vulnerabilities affecting infocomm and media services to us. We take all vulnerability reports seriously and will endeavor to ensure that each vulnerability report is investigated and that appropriate steps are taken to mitigate risk and remediate valid vulnerabilities.
Our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
-----END PGP PUBLIC KEY BLOCK-----
IMDA and United States Federal Communications commission signed MOU to promote bilateral cooperation
The Infocomm Media Development Authority (IMDA) of Singapore and the United States Federal Communications Commission (FCC) have...
Nominations for 3rd edition of 100 Women in Tech list now open
Public invited to nominate women who are making an impact on Singapore’s tech industry “Girls in Tech” category returns for female...
Singapore and the European Free Trade Association launch negotiations on Digital Economy Agreement
Singapore and the European Free Trade Association (EFTA) have launched negotiations on an EFTA-Singapore Digital Economy Agreement...
Singapore and the European Union Sign Digital Partnership
Minister-in-charge of Trade Relations S Iswaran and European Commissioner for Internal Market Thierry Breton signed the...
Singapore firms can now tap on Temus-IMDA's talent conversion programme to fill tech roles
Singapore’s Minister for Communications and Information Mrs Josephine Teo officiated the launch of Temus’ Step IT Up programme...
Enhanced measures against scam SMS
As part of the measures announced by the Infocomm Media Development Authority (IMDA) in October last year, all organisations that...
IMDA and ACMA signed Memorandum of Understanding for enhanced cooperation to combat scam and spam communications
Infocomm Media Development Authority (IMDA) and Australian Communications and Media Authority (ACMA) signed Memorandum of...
The Korea-Singapore Digital Partnership Agreement Enters into force
The Korea-Singapore Digital Partnership Agreement (KSDPA) will enter into force on 14 January 2023. The KSDPA was signed by Second...
IMDA announces a $5 million fund to support Singapore’s media industry to adopt virtual production
To ensure that the local media industry remains competitive as the international partner of choice to create premium IP, the...
20 Industry Digital Plans, which have contributed to the uplifting of more than 85,000 businesses, will be progressively refreshed, with the Food Services Sector being the first to benefit from the refreshed model
The refreshed Food Services Industry Digital Plan will include a refreshed Digital Solution Roadmap, introduction of a roadmap...