National Vulnerability Reporting Programme

Recent incidents have convinced me of the need to have a single avenue where the public can responsibly disclose vulnerabilities found on both government as well as commercial systems in a secure and efficient manner. While using these systems on a day to day basis, we sometimes do chance upon these vulnerabilities. It is crucial to make the vulnerability reporting process as pain free and seamless as possible, so as not to turn us off from reporting them. I believe that SingCERT is a suitable location to house this programme as SingCERT already handles the incident reporting process and works with both the public and private sector to resolve these incidents.

Convenience

Reporting vulnerabilities is a cumbersome process. Firstly, it is impossible to go through the normal customer service email or hotline. The customer service officers are trained only to deal with routine usability issues and cannot comprehend the fact that the system actually has a problem. They will stonewall you and refuse to escalate the case. One has to literally barge in through the front door with proof of the vulnerability and demand to speak to someone who understands the problem. To compound the issue, most ministries/stat boards only function from 9am - 5pm, Monday to Friday, which means that you actually have to take leave to go down to report the vulnerability.

With the vulnerability reporting programme in place, you can send an email with details of the vulnerability and SingCERT will follow up with the relevant agency during office hours.

Conflict of interest

Assuming that you have managed to cross the first hurdle, the second issue is a blatant conflict of interest. You will be speaking to the department in charge of maintaining the system. If they acknowledge the existence of the vulnerability, it would mean more work for them to resolve it. They would probably also have to answer to their superiors on why the vulnerability was not picked up before the system launch. It is therefore in their best interest to cover it up. This is easily done by claiming that it is a "business decision" to design the system in such a way. Even if you are able to suggest a quick fix, they will counter with the argument that there is too much "red tape" involved just to even change a single line of code.

Officers from SingCERT would be able to make a more impartial assessment on whether the vulnerability is critical enough to warrant a patch or if the current risks are acceptable. Furthermore, since they have the mandate and coming through the proper channel, it is more difficult to simply brush them off.

Responsible disclosure

In order to be taken seriously and gain an audience with the relevant agency, you will need to provide proof that you have managed to exploit the vulnerability. This can be as simple as a screenshot of a page which you are not supposed to be able to access. By sending the proof to them, you are also sending them evidence of your illegal actions. Your intentions might be good. You might not have made any unauthorised modifications or accessed any other privileged information. However, you have still committed a crime and that evidence may be used against you. If the system contains member of public's personal information, the ethical thing to do may be to publish the vulnerability to force them to patch it, so malicious hackers can no longer access it. In such a case, they can and will use that evidence to blackmail you into silence.

SingCERT should publish an ethical hacking policy and the public will need to abide by the policy to participate in the programme. As of now, if you suspect a vulnerability in a particular system, you can either choose to break the law or turn a blind eye. It is impossible to obtain permission from an agency to confirm your suspicions.

Recognition

Providing recognition is a cheap way to encourage more participation in the programme. A letter of appreciation would do well to pad a budding security researcher's resume. If you are feeling generous, offering a bug bounty will provide even more incentive for others to come forward to disclose bugs.

We are preparing to launch the SGSecure movement at the end of this month. One overarching theme is the necessity of community involvement and support in the fight against terrorism. Needless to say, an attack targeting critical sectors such as our utilities and transportation system would be devastating. Help us to help you create a more secure Singapore.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJX3mOJAAoJEAuReErcSGBf1MQQAIQdYvGJl2KuoBfeqMNTz/7Y
fi0HZ6qIJBcFtLXbwH3oCavAQNgu/GKOUfMgIwYYGkZfHB7Tk/MOQvShr70LOvws
jBxODhmhEMB6kXBIGYtZ80KzEN0tzYCrz/666SssUIlIN3Ekq7oBm2gcQqHYcqxl
gpivuqZChYM1wQRo/XVFtFgdSpdcXgYWKO1k+Ashmyo4Km1fR0QkSyOakocvyOKd
NuF+wy3i9meuYnzr1mCj261m5S5d0ToHG+mpYfACkGwAl+aASkxVqmjJkKOx9+3z
RxwE5mzjDRnaSLa5cWv+UwB1SF8XThsbgi6OERoq7dXymcMFDDzyIsUCt8BtO5t7
OOjATTFSthJ5aAffGYb9xrfOiHf7KHZkIoW/IeB9PRflCr3wZO/dPWfYXp5MuG7i
Ia2xlzcik9sVSQB9H3t8Nt/FSeGyF+w7TezzOYX3RrPzCxO3mSHAedbafvykl3bL
nRDZkzogBOj53Ll+feCUZ75YnvtA8C6jXSrDDtWNG0OBj6grd5O4NSrITj6CCMde
n38VJd9xzBi9l/NV9DwuIplsZXk/UnuQMjWWTiYuAEAqb90F3xdKWYiDKBHAySJm
8sC+qt5Xx7qToTcEVInaQOLWXqmfF/y2n9maSqOh/MRKdbJvZQShDaaMSZwo95Qs
Snto3rClDF50GNBKqDxY
=rzz2
-----END PGP SIGNATURE-----