Cyber Security Vulnerability Reporting (CSVR) Guide

The Info-communications Media Development Authority (“IMDA”) works closely with infocomm and media companies to ensure that the services they provide to the public are adequately secured against cyber threats. However, given the myriad of infocomm software solutions and applications, it is not possible to totally eliminate all cyber security vulnerabilities despite best efforts. By implementing a robust framework of IMDA regulations, IMDA helps to ensure that the public can access infocomm and media services with confidence, promoting a secure and resilient digital landscape in Singapore.

IMDA recognises that the cyber security researcher (“Researcher”) community regularly makes valuable contributions by making responsible disclosures to enhance the security of public-facing applications and networks of service providers, leading to a safer Internet user experience in Singapore.

This Cyber Security Vulnerability Reporting Guide (“CSVR Guide”) is intended for Researchers to report to IMDA cyber security vulnerabilities that they have detected in the public-facing applications and networks of Telecommunication service providers such as the Internet Access, Mobile and Fixed-line voice/data service providers, Broadcast, Print (Newspaper) and Postal service providers operating in Singapore (“Relevant Organisations”).

When a Researcher detects any such vulnerabilities, we would like to encourage the Researcher to report the discovery as soon as possible. Researchers may visit the website of the Relevant Organisation to see if it has a vulnerability reporting framework, and if so, submit the vulnerability report directly to the Relevant Organisation.

Alternatively, Researchers may submit the vulnerability report to IMDA so that we can work with the Relevant Organisation to address the detected vulnerabilities before they are exploited by malicious actors and cause harm to end users. By submitting a vulnerability report to IMDA, the Researcher agrees to the terms stated in this CSRV Guide.

Please DO:

1. email your vulnerability report to ISG_CERT@imda.gov.sg;
2. prefix the subject header of your email with [CSVR];
3. encrypt your email using our PGP key to protect its confidentiality;
4. submit the vulnerability report to us as soon as possible;
5. provide sufficient information about the detected vulnerabilities so that we can reproduce the issue, such as the following (where relevant or available):
   • description of the vulnerability
   • IP address of the affected system
   • URL of the affected system
   • Date & time of access (inclusive of timezone)
   • product, version and configuration of the software containing the bug
   • step-by-step instructions to reproduce the issue
   • proof-of-concept
   • impact of the issue
   • suggested mitigation or remediation actions (if any);
6. provide your name and email for us to contact you if we need clarifications; and
7. let us know the name and email of anyone else that you have informed of the detected vulnerabilities.

Please DO NOT:

1. use disruptive or destructive means to find vulnerabilities, including attacks on physical security, social engineering, denial of service, spam, brute force, or third party hacking/scanner applications to target websites;
2. take advantage of the detected vulnerabilities, for example, by downloading more data than is necessary to demonstrate the vulnerabilities, building backdoors, copying/modifying/deleting any data, or compromising the personal data of other individuals;
3. make changes to the system;
4. gain access to the system repeatedly or share access with others; or
5. publicly disclose the detected vulnerabilities before they are fixed as malicious actors might exploit them and cause harm to the Relevant Organisation and its users.

IMDA will:

1. act as coordinator between you and the Relevant Organisation that owns/operates the affected public-facing application or network;
2. endeavor to acknowledge receipt of your vulnerability report and notify the Relevant Organisation of the detected vulnerability within 10 business days from us receiving your report;
3. endeavor to work, within 90 days from us receiving your report, with the Relevant Organisation to complete the resolution of valid vulnerabilities; 
4. handle your report in strict confidence and not disclose your personal details to the Relevant Organisation or any third parties without your permission, unless required by law; 
5. if you request, endeavor to work with you should you intend to publicly disclose the detected vulnerabilities after their resolution; 
6. discuss with you for instances where we think that public disclosure of the detected vulnerabilities is undesirable in the public interest; and 
7. give recognition to the Researcher for contributions made, at our discretion.

Where circumstances warrant, we reserve the right, at any point in time, to:

1. reject, redirect or prioritise any vulnerability reports received; or
2. cease to act as coordinator between you and the Relevant Organisation

IMDA will NOT:

1. be liable to you for loss or damage of any kind caused by any action that is taken or not taken by IMDA in relation to this CSRV Guide;
2. assume any responsibility for the information provided by you nor shall our acceptance of your vulnerability report constitute any endorsement, verification or recommendation by us of the information therein;
3. provide any protection or immunity from civil or criminal liability; or
4. be obliged to consult you for any public statements that we and/or the Relevant Organisation considers necessary to release.

Nothing in this guide shall create any relationship of agency, partnership, association or joint venture between you or the Relevant Organisation and IMDA.

IMDA appreciates the efforts of Researchers in reporting cyber security vulnerabilities affecting infocomm and media services to us. We take all vulnerability reports seriously and will endeavor to ensure that each vulnerability report is investigated and that appropriate steps are taken to mitigate risk and remediate valid vulnerabilities.

Our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47

mQGiBF060ogRBADwade6/OC7LWA9IJSKFTyNyE5afuqen/tOcVJS7FKO/+Tz02TT
BfF0mLFOGKU0SyhJv2ZEa9ZyQmfYf9XGueYHbWcf84LCAv9Za1L+SKxaBEKOo8cM
laWbLXjlX4SP02bUKvbMPiwmUCCCutsILt5atHe0fFG0C88u+WI443nQQQCg0y5D
gVmxDjA7BGt9skrG+05C2a0EAKMLuOUtpjv+g06GN2xN7bedW+HWSslEqNSZFx0b
Nh4Z8TELJ7grQYNgpBCjQyxrVAoOaclDsGalufli6iaBdR8T4d+51vL27j7cdsNk
v+yz4TzcFCnn/e1M4IWe9F5lNfXXgWEzD4Xx190RMrRC/gwz4QUrsVT1YckcIO23
oKa/BADXVr5XUdX81gamzr4/+lTJLF9XyJZiHrKlwkNqC9mtczL4YOdvPZ89y27C
jnn+zsmSxU6jOWn6FARp15249k69kvWk1irnsLgDRtAf2wm5GuzRegYQKtlKymFW
DLqY2ylHm7M3VhluyAXMy+gJy9EImFyQsFWRNEVuKQKFTGVSCLQnSVNHLUNFUlQg
UEdQIGtleSA8aXNnX2NlcnRAaW1kYS5nb3Yuc2c+iEYEExECAAYFAl060ogACgkQ
gQeYC11Wt6E7vACcDbdWG0PWRSRYn3gkgyHu1gMIeqEAoI2qAppVzIBnxKEVF1XO
rhrnM0vpuMwEXTrSiBACAJSU/sCV87he4oZUKzg2/IGl3QoDSbTCOd04dE1IjPjj
Hbi8t9M7Qau55aM8ypFEsc7zMslL8Fc78EejrKmM3zsB/RU9XWFyrbQwRbaK6OHe
EHC2E3AFaG0p09c6d0kZloHuWyEsm5a/3PpbIM1eP9IESJXWCc+bQQt6DxLKHLmk
KMwB/3zdIpJWlCG6mI+rXLz7Kmb+OIPUKSV2il2WmWoqYr/nWV60DR1Ofu8Qr+J0
/eaUJ77Bk94cW8ufci/kt7rXxbSIRgQYEQIABgUCXTrSiAAKCRCBB5gLXVa3oc1g
AKCGAkGYOC2EBfaKVyFKiRIS3OyezACZAakmiF704SQ7/IGbswPjFutBslY= =bXpP
-----END PGP PUBLIC KEY BLOCK-----