Crowdsourced Vulnerability Discovery Programme
Explore the Crowdsourced Vulnerability Discovery Programme allowing cyber researchers and citizens to report cyber threats and contribute to secure government digital services.
Last updated 9 September 2025
On this page
Help keep the government's digital services secure with the Crowdsourced Vulnerability Discovery Programme (CVDP)
CVDP is a part of government efforts to crowdsource help from cyber security researchers and members of the public to find and report weaknesses in government digital services.
Helps identify and fix vulnerabilities to protect users.
Consists of three programmes under CVDP, namely the Government Bug Bounty Programme (GBBP), Vulnerability Disclosure Programme (VDP) and Vulnerability Rewards Programme (VRP).
Cyber threats are increasingly becoming prevalent and sophisticated. With digital services provided by Singapore's government agencies collectively receiving millions of unique visits every day, there is a need to safeguard our users from potential risks.
Just like maintaining security in the physical world, ensuring cybersecurity requires the vigilance of everyone.
That is why we have rolled out the Crowdsourced Vulnerability Discovery Programme (CVDP), which consists of three programmes that complement government agencies' periodic security testing and proactive monitoring efforts by identifying residual vulnerabilities through cyber security researchers and citizens.
Together, these efforts help to avert potential serious cybersecurity incidents and improve the security of government systems.
What are the three programmes under CVDP?
CVDP programmes
Government Bug Bounty Programme (GBBP) Launched since Dec 2018 | Vulnerability Disclosure Programme (VDP) Launched since Oct 2019 | Vulnerability Rewards Programme (VRP) Launched since Aug 2021 | |
|---|---|---|---|
Objective | To conduct in-depth testing (production or staging systems) with test credentials provided | To report vulnerabilities that citizens chance upon | To conduct testing in full production setup and no test credentials are provided |
Mode of Operation | Increase from two to four times a year 2 weeks each run | Runs all year round | Runs all year round |
Reward | Monetary | N.A. | Monetary |
How to participate? | A seasonal programme that only invited highly skilled researchers can participate | Citizens can participate by simply scrolling to the bottom of any Government websites and find the 'Report Vulnerability' link in the footer. Access the VDP page to understand the Codes of Conduct, and what to expect. | Only invited highly skilled researchers can participate |
Why contribute to CVDP?
Contribute to government cybersecurity efforts
Strengthen the security posture of government ICT systems and digital services used by citizens, businesses and public sector employees.
Be a conscientious web user
When you actively report vulnerabilities, you are protecting other users from damage, harm or loss.
Receive rewards for your contributions
Bounties will be given for valid vulnerabilities discovered in GBBP and VRP.
