Legal Protections for Individuals Reporting Security Vulnerabilities in Government-contracted Systems

11 Mr Kenneth Tiong Boon Kiat asked the Minister for Digital Development and Information (a) what legal protections exist for individuals reporting security vulnerabilities in Government-contracted systems; (b) why the Vulnerability Disclosure Programme explicitly provides no exemption from civil or criminal liability, discouraging good-faith research; and (c) whether the Ministry will implement a bug bounty programme with legal protections to incentivise responsible disclosure.

Mrs Josephine Teo: The Government recognises that members of the public, including independent cybersecurity researchers, can play a constructive role in strengthening cybersecurity, and we welcome their responsible disclosure of vulnerabilities via the Vulnerability Disclosure Programme (VDP).

The VDP does not provide exemptions from civil or criminal liability because this could unintentionally legitimise intrusive testing or activities that may disrupt services or compromise sensitive data. Providing such exemptions may also be abused by malicious attackers attempting to disguise their activities through the VDP.

Instead, the Government adopts a calibrated approach. Members of the general public can report vulnerabilities discovered through the VDP and these will generally be viewed in good faith by the authorities. More in-depth security testing is conducted through structured programmes, such as the Government Bug Bounty Programme and Vulnerability Rewards Programme, where the scope of authorised access and permissions are clearly defined.

This approach allows the Government to benefit from responsible disclosure by the cybersecurity community, while safeguarding public systems and maintaining clear boundaries on the degree of cybersecurity testing which is permissible.