Security Vulnerability Reporting
Singapore Commercial Credit Bureau (SCCB) is committed to maintaining the security, availability, and integrity of our digital services. We welcome responsible disclosure of security vulnerabilities so they can be assessed and remediated in a timely manner.
Scope
This programme applies to:
- SCCB websites, including https://www.sccb.sg/
- Public-facing SCCB applications, portals, and APIs operated by SCCB
Third-party systems or services not operated by SCCB are out of scope.
How to Report
If you believe you have identified a security vulnerability, please report it via email:
Subject: [SCCB VDP] Vulnerability Report
Please include:
- A clear description of the issue
- Steps to reproduce (if applicable)
- Supporting evidence (screenshots, logs, proof-of-concept)
- Potential impact assessment
PGP-encrypted submissions are supported and encouraged where possible.
Responsible Disclosure
We ask that reporters:
- Act in good faith and minimise risk or disruption
- Avoid accessing, modifying, copying, or deleting data
- Refrain from denial-of-service testing or social engineering
- Stop testing once the issue has been identified
Legal & Compliance
- This Vulnerability Disclosure Programme does not authorise activities that may be unlawful.
- All testing and reporting must comply with applicable Singapore laws, including the Computer Misuse Act 1993 and the Personal Data Protection Act 2012 (PDPA).
- Please do not submit personal data unless it is strictly necessary to demonstrate the vulnerability, and do not publicly disclose vulnerabilities without SCCB’s prior written consent.
- Nothing in this programme limits SCCB’s right to take appropriate action in response to unlawful activities.
Our Commitment
SCCB will:
- Acknowledge vulnerability reports within a reasonable timeframe
- Assess and prioritise confirmed issues based on risk
- Take remediation actions where appropriate
This programme does not offer monetary rewards.