CSA as a CVE Numbering Authority (CNA)

To facilitate effective collaboration, SingCERT will act as the coordinator between anyone that has identified or knows of a suspected vulnerability in a product or service (the “Informers”) and person/organisation responsible for a product or service (the “Systems Owners”). SingCERT will also manage the vulnerability disclosure policy, which provides the guidelines and sets out in detail on how Informers, System Owners and SingCERT, can contribute to the process of Responsible Vulnerability Disclosure (“RVD”).

RVD is a process where the System Owner is informed of a cybersecurity vulnerability in the product or system, in order that they may mitigate or eradicate the risk that the vulnerability may be exploited, and minimise or prevent potential harms that may result.

SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace.

SingCERT will act as a coordinator, whereby upon receiving a report from the Informer and will assist in contacting and passing along the report to the System Owner(s). Where necessary and appropriate, we the Informer and System Owner(s) may be put directly in touch, to enable better communication and coordination. System Owner(s) are also encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies. For reporting of vulnerabilities in any Singapore government-related systems or websites, please refer to Govtech’s Vulnerability Disclosure Programme.

Read the full Responsible Vulnerability Disclosure Policy

• Responsible Vulnerability Disclosure Policy [PDF, 177 KB]

For more information regarding this policy, please visit the FAQ page.