Report a vulnerability

We appreciate your efforts in identifying vulnerabilities or errors, and your intention to notify us of them.

Bank of Singapore is committed to ensuring the security of our clients’ data and reliability of our products and services. Reporting such vulnerabilities and errors will improve the security and reliability of our product and services.

Please review our Vulnerability Disclosure Policy (the Policy) below before reporting a vulnerability. The Policy provides guidelines for conducting vulnerability discovery activities and the reporting.

Restricted actions

Performing any of the unauthorised actions below constitutes a violation of the Policy:

• Breach of any applicable laws in connection with and leading up to your report
• Denial-of-service or other actions that degrade, damage, or interrupt Bank of Singapore services
• Exploitation of any vulnerabilities found
• Social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks
• Testing the physical security of any property, building, plant, or factory of Bank of Singapore
• Leaking, modifying, destroying, misusing or abusing user data or system files

Reporting method

The best way to report security vulnerabilities to us is by submitting a vulnerability report form.

By submitting a report through the form, you expressly agree to the following terms and undertake that:

• you assign all use and ownership rights of the report to Bank of Singapore
• your actions and interactions with Bank of Singapore leading up to the report is not in violation of any applicable laws
• you have no intention of harming Bank of Singapore, its clients, employees, partners, vendors or suppliers
• you agree to not disclose any information about the report and vulnerability described within, and the fact that you submitted a report to Bank of Singapore
• you agree that the report is made out of goodwill, and is done without any expectations of rewards, monetary or otherwise, from Bank of Singapore

You will need to provide your contact information when you report a vulnerability using the form.

Providing your contact information in your vulnerability report is entirely voluntary and at your discretion. This does not guarantee that Bank of Singapore will respond regarding your report. We may contact you depending on the report’s content.

By submitting your contact information through the vulnerability report form, you agree that Bank of Singapore may use the information you provide according to our ‘Data Protection Policy’.