C.6 Vulnerability Disclosure Program 

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources. 

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations. 

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

A new iteration of the Guidelines for Software Development, including updated guidance on vulnerability disclosure programs, was published in March 2025.

Principle 2: Implement a vulnerability disclosure policy 

IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues. Disclosed vulnerabilities should be acted on in a timely manner. Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities. 

Primarily applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers.

Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace."

"System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments. 

If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email. 
 

Version 2.0 of this manual was released in October 2024.