The safety and security of our stakeholders’ data (including customers, employees, partners and suppliers), and the reliability of our products and services, are important to Changi Airport Group (S) Pte. Ltd. (“CAG”). Therefore, we aim to design and develop products and services with high levels of security and reliability. Despite our best efforts, due to the complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present. CAG’s vulnerability disclosure program is part of our efforts to enhance its cybersecurity posture, especially as it relates to our products and services. This VDP describes CAG’s vulnerability disclosure program and sets out CAG’s approach to requesting and receiving reports related to potential vulnerabilities and errors in our products and services. This VDP also outlines the terms and conditions for responsible vulnerability reporting.
Products and services in this VDP refer to digital products and services provided by CAG through [https://www.changiairport.com and https://www.ishopchangi.com/].
Please note that CAG’s vulnerability disclosure program does not authorise, permit or endorse the taking of any action which may contravene applicable laws and regulations such as the Computer Misuse Act 1993. For the avoidance of doubt, any attempt to exploit or test suspected vulnerabilities such as by gaining unauthorised access to any computer/data is strictly prohibited, and neither permitted nor encouraged.
TERMS AND CONDITIONS
By submitting a report to CAG, or otherwise communicating to CAG regarding any vulnerabilities and errors, you agree that:
- CAG may use your report for any purpose deemed relevant by CAG, including without limitation, to correct any vulnerabilities and errors that you report, and without any attribution, credit or remuneration to you or any consultation with you.
- You have not exploited or used in any manner, and will not exploit or use in any manner other than for the purposes of reporting to CAG, the discovered vulnerabilities and/or errors.
- You have not engaged, and will not engage, in any actions (including testing/reconnaissance of systems) with the intention of harming CAG, its customers, employees, partners or suppliers.
- You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered.
- You have not conducted, and will not conduct social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks, as it relates to CAG’s products and services.
- You have not breached, and will not breach, any applicable laws (such as the Computer Misuse Act 1993) in relation to and in connection with the submission of your report to CAG.
- You will not disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerability and/or error has been reported to CAG.
- CAG does not guarantee that you will receive any response from CAG related to your report. CAG will only contact your regarding your report if CAG (at its absolute discretion) deems it necessary.
- You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, and without any expectation that the vulnerabilities and/or errors reported are corrected by CAG.
- You will comply with the Code of Conduct for Participants of CAG’s Vulnerability Disclosure Programme.
- CAG shall not be liable for any expense, damage or loss of any kind which you may incur due to any action taken or not taken by us in relation to any vulnerability or error you may report.
- CAG shall not accept or assume any responsibility for the contents of any report you submit, or shall our acknowledgment or processing of such report constitute any kind of acceptance or endorsements of the contents of your report.
- A proof of concept regarding the reported vulnerability should not be malicious in nature, for example, but not limited to the following: tampering of existing data in database, adding bogus records in the database, or deletion of records. In the case where SQL injection vulnerability exist, querying for the version of database would be sufficient to demonstrate the ability to read database. Enumerating the existing rights in context of the SQL server session is also allowed. In time-based SQL context, showing that the response time varies and correspond to the different values set in sleep function would suffice. Showing hostname is sufficient for RCE vulnerabilities.
- You agree not to establish persistence by all means. A reverse shell or C2 connection back to your own C2 Infrastructure is strictly forbidden.
CODE OF CONDUCT FOR PARTICIPANTS OF CAG’S VULNERABILITY DISCLOSURE PROGRAMME
- Participants should act responsibly and with the sole purpose of reporting suspected vulnerabilities and errors.
- Participants shall avoid any kind of harm, damage or loss to individuals or organisations. These could be any actions that may cause interruption to or degradation of any services such as brute forcing as well as Distributed Denial of Service (“DDoS”) attacks.
- Participants shall not attempt to exfiltrate any computer data or publish details or publicly disclose any suspected vulnerabilities or errors to any third party apart from CAG.
- Upon detecting any vulnerability or error in CAG’s products or services, kindly notify CAG immediately by clicking the ‘Submit a report’ button at the bottom of the page.