Being a Registrar

General

What is the role of a registrar?

The registrar will have agreements with the registrants and will collect registration data about the registrants. Registrars will also insert and renew domain names on behalf of the registrants in the registry database.

What is the minimum period of accreditation for registrars?

Currently, SGNIC will accredit registrars for a period of 3 years. SGNIC will review renewal requests submitted by registrars on a case-by-case basis.

How do I become an SGNIC accredited registrar?

The process and criteria for becoming a SGNIC accredited registrar is outlined in detail in the document Information to apply for accreditation.

What is the minimum criteria to be an accredited registrar?

The minimum criteria are:

  • Applicants will need to have a minimum working capital of S$50,000. Foreign-based applicants will also need to be ICANN-accredited.
  • Technical capability such as the ability to accommodate all the archival database including the creation and maintenance of Whois-type public access database service and the provision of daily back-up and archives of them.
  • Ability to provide prompt service to registrants for their registration needs.
  • At least six months (continuous) prior experience in domain name registration business.
  • Ability to maintain a minimum of 100 new domain name registrations per year to remain accredited.
What are the financial considerations before I decide to apply to be an accredited registrar?

The following financial considerations apply:

  • S$1,000 non-refundable application fee, to be submitted together with application.
  • A minimum working capital of S$50,000 for all applicants for the preceding 2 years before application.
  • S$30,000 performance bond in the form of a banker’s guarantee for companies which are not able to produce two years' worth of audited statements showing a minimum working capital of S$50,000 or in SGNIC’s assessment, it is necessary for a potential registrar to provide a performance bond.
  • A S$4,500 accreditation fee for successful applicants. This accreditation fee will cover an accreditation period of three years. Thereafter, renewal of registrar accreditation is at a three yearly interval at a fee of S$4,500.
  • A S$3,000 starting balance in the Deposit Account with SGNIC.
  • Prevailing taxes will apply to fees payable.
Is there is limit to the number of registrars SGNIC will accredit?

To encourage competition and promote innovation, there will be no limit on the number of registrars accredited by SGNIC.

Technical - General

Is SGNIC a thick registry or thin registry?
SGNIC is a thick registry in which all information associated with registered domain names is stored within SGNIC’s registry database.
Do registrar’s IP addresses need to be whitelisted for accessing SGNIC’s services?

Yes, only whitelisted IP addresses can access SGNIC’s EPP service and registrar panel (for both OTE or/and Production). Login to the respective registrar panels (OTE or Production) to submit IPs for whitelisting.  Up to 5 x /29 IP address ranges are supported per registrar. On Mondays and Thursdays, SGNIC will process the IP whitelisting requests that are sent in before Monday and Thursday respectively.

Does SGNIC support Domain Name System Security Extension (DNSSEC)?
Yes, SGNIC launched the Domain Name System Security Extension (DNSSEC) feature for .sg domain names in September 2016. SGNIC encourages all registrars to support the feature for their .sg registrants.

Technical - EPP

Does SGNIC provide EPP access?

Yes, registrars may use Extensible Provisioning Protocol (EPP) to connect to SGNIC. Registrars will need to take note of some EPP extensions that have been customised to meet SGNIC’s registration requirements. SGNIC also provides a Java API for registrars who may need it to simplify EPP-based communications. Please refer to SGNIC’s EPP documents in the registrar portal for details.

Is an SSL certificate required to connect to the registry? 

Yes, an SSL certificate is required for EPP connection. Certificates issued by major Certificate Authorities (CA) will be recognized. If you do not have any commercial CA-issued certificate, you may contact SGNIC for an SGNIC-issued certificate.

Is there a restriction on the number of simultaneous EPP connections?

Yes, there is a limit of 10 simultaneous connections per registrar.

Technical - WHOIS

Does SGNIC provide WHOIS services?

Yes, SGNIC provides best-effort WHOIS service via the following interfaces:
  1. Port 43 WHOIS service: whois.sgnic.sg (public)
  2. Web-based WHOIS service: https://www.sgnic.sg (public); and
  3. https://registrar.sgnic.sg/whois/whois.jsp (registrars only)
Is there a restriction on number of WHOIS connections?

Yes, SGNIC would bar an IP address (for an hour) from accessing WHOIS service if it detects WHOIS query floods. In any case, registrars must not use WHOIS for domain availability checks (EPP ‘domain check’ command should be used instead).

Technical - Domain Name

How many characters are allowed for a .sg domain name?
A .sg domain name (excluding the category suffix such as ‘.sg’ or ‘.com.sg’) must be between 1 and 63 ascii characters. This restriction also applies to the Punycode format of Chinese and Tamil Internationalized Domain Names (IDN).
What are the characters allowed in a .sg domain name?
For ASCII/Latin domain names, only letters, digits and hyphen (LDH) are allowed. Chinese characters are allowed for all domain name categories including .新加坡.  Tamil characters are allowed for .சிங்கப்பூர்.
Does SGNIC support Internationalized Domain Names (IDN)?
Yes, SGNIC supports Chinese and Tamil domain names.
What is the typical lifecycle of a domain name?

A typical domain lifecycle is shown in the figure below:

faq_domain_lifecycle

When will a domain be EXPIRED/DELETED/PURGED?

EXPIRED Status

The SgR2R registry system runs an automated script at an hourly interval (45th minute of every hour) to update affected domains to EXPIRED status.  An ACT(Active) domain goes into EXP(Expired) status when the expiry date/time is past the execution date/time of the automated script. Specifically, the formula used to determine if the status of a domain name should be changed to "EXP" is given by: (Date/Time when script is run) > (Expiry Date/Time).  

DELETED Status

The SgR2R registry system runs an automated script at an hourly interval (45th minute of every hour) to update affected domains to DELETED status.  An EXPIRED domain goes into DELETED Status when the expiry date/time is 30 days past execution date/time of the automated script.  Specifically, the formula used to determine if the status of a domain name should be changed to "DEL" is given by: (Date/Time when script is run) - (Expiry Date/Time) > (30x24 hours).

PURGED Status

The SgR2R registry system runs an automated script at regular intervals (45th minute of every hour) to PURGE domains with DELETED status.  A DELETED domain name gets PURGED when the deleted data/time is 30 days past execution date/time of the automated script. Specifically, the formula used to determine if a domain name should be PURGED is given by: (Date/Time when script is run) - (DELETED Date/Time) > (30 x 24 hours).

Although the specific DELETED Date/Time is not available in public WHOIS and thus the specific date/time of the purging cannot be derived accurately by the public, the general advice to the public would be that under normal circumstances, a domain name will be purged on the next 45th minute after 60 x 24 hours have passed since the domain name expiry date/time. 

For example: Domain name expiry date/time: 03-Dec-2011 07:23:52. Domain name purge date/time: 01-Feb-2012 07:45:23.

However, SGNIC does not guarantee all domain names will be purged as per described above as there may be other reasons that prevent the purging (e.g. the domain name is being held for pending court cases or if there were system maintenance activities during the execution of the automated script).

Is there any grace period for new registrations?
Registrars are given fourteen (14) days grace period for new registrations. If a registrar withdraws the registration by deleting* a domain name within this grace period, the registration fee will be refunded to the registrar automatically.

* Only domain deletion with “Registrant Request” type will be refunded within 14-days grace period for new registrations.
How is the 14-days grace period for new domain name registrations being calculated?

The 14-days grace period for new registration is defined as 14 days from the date and time of the registration.

Specifically, the formula used to determine whether a deletion is within the 14 days period is given by:
(Deletion Date/Time) - (Registration Date/Time) < (14 x 24 Hours)

Here are some examples:

Registration Date/Time

Deletion Date/Time

Is Deletion within 14-days Grace Period?

Is it eligible for refund?

01-03-2018
13:01:05

15-03-2018
09:10:25

Yes

Yes

01-03-2018
13:01:05

15-03-2018
20:15:45

No

No



What are the term options (i.e. no. of-years) for domain name renewals?
The term options are 1 year and 2 years, provided that the expiry date of the registration after such renewal does not exceed 36 months from the date SGNIC receives the renewal instruction.
Is there any grace period for domain renewal?
Registrars are given fourteen (14) days grace period for each domain renewal (“Renewal Grace Period”). If a registrar cancels the renewal within this grace period, the renewal fee will be refunded to the registrar automatically, subject to the following exceptions:
  1. the domain name has been transferred to another registrar (even if the renewal transaction is still within Renewal Grace Period); or
  2. the domain name is 'renewed' as part of a domain transfer command (A transfer command can be tied with either 0, 1 or 2-year renewal); or
  3. the domain name is 'renewed' via a domain reinstatement command (where a mandatory 1-year renewal is imposed).
How is the 14-days grace period for domain renewal being calculated?
The 14-days grace period for domain renewal is defined as 14 days from the date and time of the renewal.

Specifically, the formula used to determine whether a cancellation of renewal is within the 14 days period is given by:

(Cancellation Date/Time) - (Renewal Date/Time) < (14 x 24 Hours)

Here are some examples:

Renewal Date/Time

Cancellation Date/Time

Is cancellation within 14-days Grace Period?

Is it eligible for refund?

01-03-2018
13:01:05

15-03-2018
09:10:25

Yes

Yes

01-03-2018
13:01:05

15-03-2018
20:15:45

No

No

If a domain name has been renewed more than once, how should renewal cancellations be performed?
If a domain name has more than 1 renewal transaction that are eligible for cancellation (i.e. all within the 14-days Renewal Grace Period), the registrar will need to cancel the renewals one at a time, in a "last-in-first-out" basis (i.e. cancel the latest renewal first, followed by the second last one).
Will there be refunds for renewals if a domain name is deleted during the 14-days grace period for new registrations?
No, only the fees for new registrations will be refunded. To get the refund for the renewal, registrars should first cancel the renewal transaction(s) before deleting the domain name.
What is ‘reinstatement’?
If a domain name has “Deleted” status (i.e. in the 30 day ‘deletion escrow period’), it may be reinstated with a reinstatement fee. Such a reinstatement would also incur a mandatory one (1) year renewal fee.  The new expiry date shall be 1 year from the date SGNIC receives the reinstatement/renewal instruction.
What are the term options (i.e. number of years to renew) for domain transfer?
The term options are 0 year, 1 year and 2 years, provided that the expiry date of the registration after such renewal does not exceed 36 months from the date SGNIC receives the transfer (with renewal) instruction.
Is there any grace period for domain transfer?
No. The renewal fees associated with domain name transfers with 1- or 2-year renewal terms will not be refunded if a domain name is deleted after a registrar transfer.
Is the EPP ‘Authorisation Code’ required during domain transfer?
Yes, ‘Authorisation Code’ is required when the gaining registrar initiates/requests the domain transfer.
How will registrars involved in a domain transfer process be notified about the various transfer stages?
Email notifications will be sent to the registrars at the different transfer stages. On top of that, registrars can use EPP ‘poll’ command to get the latest status of the domain transfer.
When will registrar transfers be auto-approved by the system?
A registrar transfer request will be automatically approved after 7 days if there is no explicit action (approve or reject) from the losing registrar. A script will be run at midnight every day to auto-approve registrar transfers.

Specifically, a transfer request will be approved if:
(Date/Time when script is run) - (Date/Time of transfer request) > (7 x 24hours)

Can the gaining registrar view or change the contact details of a domain name that is transferred from another registrar?
No. After a domain name has been transferred to a gaining registrar, the contact objects (i.e. Registrant, Administrative, Technical and Billing contact) will still be contact objects belonging to the previous registrar. Therefore, the system would not allow the gaining registrar to view or change the contacts. The gaining registrar shall obtain the contact details from the registrant, create a new set of contact objects to replace the old contacts after the completion of a domain transfer.
What are the different options for domain deletion?
The following table provides information on the various domain delete options and the corresponding system behaviour:

Operation Type

System Behaviour

Is reinstatement allowed?

Eligible for refund if deletion takes place within the 14-day new registration grace period?

Delete

Domain will be placed in escrow period of 30 days before purging

Yes

No

Delete: Registrar Request

Domain will be placed in escrow period of 30 days before purging

Yes

No

Lame Domain

Domain will be placed in escrow period of 30 days before purging

Yes

No

Delete: Breach of Contract

Domain will be placed in escrow period of 30 days before purging

No

No

Delete: Registrant Request

Domain will be purged immediately

No

Yes

Delete: Court Order

Domain will be purged immediately

No

No

 

How do registrars perform domain name availability checks? Can registrars use WHOIS for checking domain name availability?
Registrars must use EPP’s ‘domain check’ command for availability checks. Registrars shall not use WHOIS for domain availability checks as the WHOIS service is meant for ad-hoc domain information checks only.
What are the different types of domain name status?

The following table provides information on the various statuses of a domain name:

Domain Status

Status Description

Remarks

OK

Active / Normal

--

EXPIRED

Domain has expired and in the 30-day of grace period before being updated with DELETED status

Domain name cannot be resolved.

Manual/EPP renewal allowed.

DELETED

Domain is in the delete escrow period of 30 days before purging

Domain name cannot be resolved.

Manual/EPP reinstatement allowed, except for those deleted under “Delete: Breach of Contract”.

DELETED (Pending registrar confirmation)

DELETE action on RegistryLock domain name by the registrar are pending registrar’s confirmation via an Out of Band (OOB) process

SGNIC will send the registrar an email containing the instructions to confirm (or reject) the deletion.

PENDING TRANSFER

Registrar transfer process has been initiated

 

During this state (a maximum of 7 days), the Domain Life Cycle scripts have no impact to the domain name (e.g. a domain name that has passed its expiry date will not be updated to ‘Expired’ status).

The status will be lifted once the transfer is auto-approved (by system), approved (by losing registrar), rejected (by losing registrar) or cancelled (gaining registrar). Domain life cycle scripts will then be applied to the domain name on the next run (e.g. a domain name that has passed its expiry date will be updated with “Expired’ status and cease to resolve).

SERVER HOLD

 

Domain name has been suspended by SGNIC

 

Domain name cannot be resolved.

For ‘Court Order’ cases, the Domain Life Cycle scripts have no impact to the domain name.

Contact [email protected] for advice.

SERVER UPDATE PROHIBITED

 

Domain name update is prohibited by SGNIC

Contact [email protected] for advice.

SERVER RENEW PROHIBITED

 

Domain name renewal is prohibited by SGNIC

If this status exists in the presence of [email protected] status, see the note of [email protected] below.

Contact [email protected] for advice.

SERVER TRANSFER PROHIBITED

 

Domain name transfer is prohibited by SGNIC

Contact [email protected] for advice.

SERVER DELETE PROHIBITED

Domain name deletion is prohibited by SGNIC

Contact [email protected] for advice.

CLIENT HOLD

Domain name has been suspended by sponsoring registrar

 

Domain name cannot be resolved.

For ‘Court Order’ cases, the Domain Life Cycle scripts have no impact to the domain name.

 

CLIENT HOLD (Pending registrar confirmation)

CLIENT HOLD actions on RegistryLock domain name by the registrar are pending registrar’s confirmation via an OOB process

SGNIC will send the registrar an email containing the instructions to confirm (or reject) the action of HOLD.

CLIENT UPDATE PROHIBITED

Domain name update is prohibited by the sponsoring registrar

Contact registrar.

CLIENT RENEW PROHIBITED

Domain name renewal is prohibited by the sponsoring registrar

Contact registrar.

CLIENT TRANSFER PROHIBITED

Domain name transfer is prohibited by the sponsoring registrar

Contact registrar.

CLIENT DELETE PROHIBITED

Domain name delete is prohibited by the sponsoring registrar

Contact registrar.

[email protected] Required

Domain name is not subject to the [email protected] scheme

This typically applies to domain names registered before 2 May 2013.

[email protected]

Domain name subject to the [email protected] scheme

 

This typically applies to domain names registered after 2 May 2013.

See https://verifiedid.sgnic.sg/faq.html for more information about [email protected] scheme.

[email protected]

(ID NOT VERIFIED. PENDING ADMIN CONTACT VERIFICATION by dd-MON-yyyy HH:mm:ss)

Domain name is pending verification by the administrative contact of the domain name

The administrative contact of the domain name is required to verify the identity and contact information of the registrant in the [email protected] portal.

[email protected]

Domain name has been verified by the administrative contact of the domain name

--

[email protected]

Domain name had not been verified after the grace period

Domain name cannot be resolved.

The administrative contact of the domain name is required to verify the identity and contact information of the registrant in SGNIC’s [email protected] portal. The hold status will be lifted immediately after verification.

RegistryLock

Domain name has been enabled with the ‘RegistryLock’ security feature

See https://registrylock.sgnic.sg/rylockfaq.html for more information about ‘RegistryLock’ security feature.

RegistryLock (temporarily unlocked)

Domain name has been enabled with the ‘RegistryLock’ security feature, but the feature has been temporarily disabled by the administrative contact

The feature will be re-enabled automatically after the ‘unlock’ period/timeframe selected by the administrative contact.

Technical - Contact Object

Is a contact object maintained as a separate object at the registry or as a domain object's attribute?
The contact object is being maintained as separate object. In other words, a contact can be created without being associated with any domain name; and can be associated with more than one domain name.
What are the types of contact required for a domain name?
All 4 types of contacts (Registrant, Administrator, Billing and Technical) are mandatory for each domain name.
Are there any restrictions on the number of contact objects that can be created?
There is no limit on number of contacts objects a registrar can create. However, for each domain name, there can be only 1 registrant, 1 administrator, 1 billing contact and 1 technical contact associated with the domain name. Multiple contacts for each role (e.g. 2 technical contacts for 1 domain name) is not allowed.
Are there any .sg-specific restrictions for contact objects?
Postal Code is mandatory if the country code is ‘SG’ (Singapore).

Read https://verifiedid.sgnic.sg/faq.html#_Toc445128329 for the requirements of the Administrative Contact of a .sg domain name subject to [email protected] scheme.

Technical - Host Object

Does the host object exist independently of the domain name?

Yes. However, if the host object’s hostname ends with .sg (aka ‘Child host’), the prerequisite is that parent .sg domain name must already be registered otherwise the system will not allow the creation of the host object.

Is there a requirement/restriction on the number of hosts associated with a domain name?
Yes. Minimally 2 hosts are required; and up to a maximum of 13 hosts could be associated with a domain name.
Is there a restriction on number of IP addresses for a host?
IP addresses are only required for ‘child hosts’ (i.e. host objects with hostnames ending with .sg) for glue record purposes. For such child host objects, a minimum of 1 IP address is required; and up to a maximum of 13 IP addresses. For other hosts with hostnames that do not end with .sg (a.k.a. ‘out-of-zone’ hosts), IP address is NOT required.
Are modifications on host objects allowed?
’Hostname’ modifications are not allowed. ‘IP address’ modifications are allowed by the registrar who owns the host object.

Mandatory Security Requirement for Renewal of Registrar Accreditation

What is SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation?

SGNIC requires that a SGNIC accredited registrar who seeks to extend the term of its registrar accreditation must, prior to the expiry of the term under its Registrar Accreditation Agreement (RAA), undergo a web application vulnerability assessment (“VA”) test for its .sg domain name registration web portal (“Mandatory Security Requirement for Renewal of Registrar Accreditation”). SGNIC requires that the registrar completes the web application VA and rectify any “high” and “medium” security risk findings in the final year (usually year 3) of such registrar’s accreditation, and furnishes to SGNIC a copy of the final web application VA test report showing that there are no “high” or “medium” security risk findings in the web application VA test results. The final web application VA test date must be within the final year of the registrar’s term of accreditation (usually year 3), i.e. dated no more than 12 months before the expiry of the term of accreditation, and shall be to SGNIC’s satisfaction.

Why is there a need to ensure that an accredited registrar’s .sg domain name registration web portal is secure?

 

Most SGNIC accredited registrars operate a web portal that allows registrants to modify their .sg domain name information, such as contact details and name servers. If an attacker is able to gain unauthorised access to an accredited registrar’s web portal by exploiting vulnerabilities of the web portal, the attacker may be able to perform unauthorised modifications to registrants’ .sg domain name information. Such unauthorised modifications may then allow the attacker to, for example, hijack domain names and/or redirect registrants’ websites, emails or other services, to servers controlled by the attacker.
What harm may be caused to registrants if an attacker is able to gain unauthorised access into an accredited registrar’s domain name registration web portal?
The harm will depend on the actions of the attacker after it gains control of the domain name, the issues created by the attacker, and the value and importance placed on the contents of the registrant’s website, emails and other services attached to the domain name. For example, (i) the attacker may change the visual appearance of a registrant’s web portal to demonstrate its ability to deface such website thus affecting the registrant’s reputation, (ii) interfere with activities over the registrant’s web portal thereby causing disruption and/or economic losses, or (iii) trick end users into believing that services provided over the registrant’s web portal  are nevertheless legitimate so much so that users continue to transact using such services, resulting in sensitive information being leaked to the attacker.
What is web application VA testing and how does it help to secure a SGNIC accredited registrar’s domain name registration web portal?
Web application VA testing is a non-intrusive approach that serves to produce a prioritised list of security vulnerabilities associated with a web application. Typically, a software tool is used to automate the ‘scanning’ of the web application to identify vulnerabilities that may be exploited. Each vulnerability may be validated to remove false positives and is assigned a security risk rating of “high”, “medium” or “low”. The organisation that has undergone web application VA testing may then prioritise which vulnerabilities to resolve first.
Apart from web application VA testing, are there any other mandatory security requirements imposed by SGNIC?
SGNIC requires that all SGNIC accredited registrars undergo web application VA tests for their domain name registration web portals for purposes of SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation. SGNIC considers web application VA testing to be an important minimum requirement, and would expect all accredited registrars to perform the web application VA tests to enhance their level of security protection. As accredited registrars are responsible for the security of their own systems and web portals, where any security breach may adversely impact both registrars and registrants, it is recommended that such registrars not only implement regular web application VA testing, but also carry out other security assessments such as host/network based VA tests, host/network and web application penetration tests and IT general controls reviews as well. 
Are all SGNIC accredited registrars affected by SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation?
SGNIC requires that all SGNIC accredited registrars be subject to the Mandatory Security Requirement for Renewal of Registrar Accreditation. First, an existing registrar whose term of accreditation expires on or after 1 July 2020 will be required to comply with SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation with effect from 1 January 2019. Second, where an existing registrar’s term of accreditation would expire before 1 July 2020, notwithstanding a renewal of the registrar’s term of accreditation in view of the aforementioned, such registrar would only need to comply with the Mandatory Security Requirement at its subsequent renewal. Third, where a registrar would be accredited on or after 1 January 2019, such registrar would only need to comply with SGNIC’s Mandatory Security Requirement when its accreditation renewal is subsequently due. SGNIC is also prepared to waive the application of the Mandatory Security Requirement for Renewal of Registrar Accreditation on a case-by-case basis, in the event an accredited registrar does not operate a web portal for registrants to modify .sg domain name details.
What must an accredited registrar provide to SGNIC for purposes of the Mandatory Security Requirement for Renewal of Registrar Accreditation?

The registrar shall provide SGNIC with a web application VA test report. The VA test report shall:

a) be produced by a SGNIC pre-screened security vendor in accordance with the requirements and scope of work as defined here
b) comprise of a final assessment date of not more than 12 months before the registrar’s accreditation expiry date; and
c) contain no security risk findings that are rated as “high” or “medium”.

What happens if the web application VA test report submitted by an accredited registrar does not comply with SGNIC’s requirements?

SGNIC may reject the accredited registrar’s application for an extension of the term of its accreditation under the RAA. SGNIC may, however, at its sole and absolute discretion and on a case-by-case basis, consider extending the registrar’s term of accreditation for a short period (e.g. 6 months) to provide the registrar additional time to fulfil the Mandatory Security Requirement for Renewal of Registrar Accreditation, with a view to extending such registrar’s accreditation should the registrar eventually comply with SGNIC’s requirements.

How much does it cost to conduct a web application VA test?

Based on SGNIC’s survey of the market in 2018, the fees to conduct a web application VA test may range from approximately S$2,800 to S$5,000.

Will SGNIC provide funding support to assist SGNIC accredited registrars to meet the Mandatory Security Requirement for Renewal of Registrar Accreditation?

Yes, partial sponsorship, subject to a cap, will be provided per web application VA test conducted for an initial period of 3 years from 1 January 2019 for SGNIC accredited registrars that are Small and Medium Enterprises (SMEs) and have met SGNIC’s sponsorship requirements. The funding support is described below. More details are in the FAQ on Sponsorship Programme for Web Application Vulnerability Assessment:

 

Sponsorship Application Date

 Sponsorship Details

1 Jan 2019 – 30 Sep 2019
(Within 9 months from the commencement of SGNIC’s sponsorship programme for web application VA

80% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$4,400.

1 Oct 2019 – 31 Dec 2021
(After 9 months from  commencement of SGNIC’s sponsorship programme for web application VA)

50% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$2,750.

 

 

 Who are SGNIC’s pre-screened security vendors?
Please refer to the list of pre-screened security vendors as published here.
Why is there a need to use a pre-screened security vendor?
As there are no industry certifications to identify security vendors for the conduct of web application VA tests, it would be difficult for accredited registrars and SGNIC to determine if a vendor’s VA testing and reports constitute an adequate assessment of the vulnerability situation of a registrar’s web application. As the starting point, SGNIC is of the view that a screening of the vendor’s methodology and track record would minimally help to ascertain the credibility and qualifications of a vendor before a registrar engages the vendor’s services. 
Can an accredited registrar request for its security partner to be identified as a pre-screened security vendor by SGNIC?
Yes, you can inform your security partner (which includes a local or overseas-based security partner that a registrar works with) to submit an application form to SGNIC to be identified as a pre-screened security vendor. SGNIC will assess the security vendor’s track record and methodology to determine if the security vendor can be included as one of SGNIC’s pre-screened security vendor. 

Will SGNIC guarantee the quality of work of a SGNIC pre-screened security vendor?
While SGNIC will identify certain security vendors as pre-screened security vendors based on such vendors’ track record and methodology, SGNIC makes no guarantee or assurances as to the quality of work of such pre-screened security vendors. That said, for the purposes of identifying security vendors as pre-screened security vendors, SGNIC will make every effort to review a security vendor’s credibility and qualifications. The list of pre-screened security vendors and any information pertaining to the pre-screened vendors that are provided by SGNIC, are provided ‘as is’ without any express or implied warranty of any kind. 

Will SGNIC be involved in the appointment of a pre-screened security vendor by an accredited registrar or the resolution of any dispute between them?
No, SGNIC is not involved in an accredited registrar’s appointment of a pre-screened security vendor. The registrar shall arrange for the engagement of a pre-screened security vendor, including the terms of engagement and scope of the security vendor’s services. Any dispute, including that arising from the services or products provided by the registrar’s appointed security vendor, shall be resolved directly between the registrar and the security vendor. 
What are the technical requirements and scope of the web application VA testing?
The technical requirements and scope of work are set out here.  Accredited registrars shall ensure that the relevant requirements are met when they procure VA test services from pre-screened security vendors. 
What is a typical project flow for each web application VA testing?
Where a SGNIC accredited registrar qualifies for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:
va_wf_sponsored
Where a SGNIC accredited registrar does not qualify for SGNIC’s Sponsorship Programme for Vulnerability Assessment, the typical workflow for web application VA testing is as follows:
va_wf
What is the recommended timeline for an accredited registrar to start the engagement with a pre-screened security vendor?
Accredited registrars should plan to carry out the first VA tests, from as early as 15 months and no later than 6 months, before the expiry of the terms of accreditation under such registrars’ respective RAAs. Accredited registrars should also be aware that the final VA test dates shall be not more than 12 months before the expiry of the terms of accreditation under their respective RAAs. Such registrars should plan for a lead time (e.g. 3 to 6 months) to fix any vulnerabilities before the final VA test/ re-scan (taking into consideration that there may be numerous vulnerabilities found, with some vulnerabilities requiring deeper research, and others requiring upgrades of framework/webserver, etc). As SGNIC generally engages/ reminds registrars about their renewals of accreditation approximately 6 months before the expiry of their respective terms of accreditation, SGNIC would strongly recommend that registrars produce the final VA scan/ test result by then to avoid any delay in the renewals of accreditation by SGNIC.

Sponsorship Programe for Web Application Vulnerability Assessment

Who may apply for SGNIC’s sponsorship programme for web application VA?
SGNIC’s sponsorship programme for web application VA is available to SGNIC accredited registrars that are Small and Medium Sized Enterprises (“SMEs”) only. SMEs are enterprises which have a group annual sales turnover of not more than S$100 million OR group employment size of not more than 200 employees.
How much funding will be provided to a successful applicant under SGNIC’s sponsorship programme for web application VA?
The funding amount and relevant period are in the table below.

 

Sponsorship Application Date

Sponsorship Details

1 Jan 2019 – 30 Sep 2019
(Within 9 months from the commencement of SGNIC’s sponsorship programme for web application VA

80% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$4,400.

1 Oct 2019 – 31 Dec 2021
(After 9 months fromcommencement of SGNIC’s sponsorship programme for web application VA)

50% sponsorship per web application VA test conducted, to be capped at a Total Sponsorship Amount of S$2,750.

 


What is covered under SGNIC’s sponsorship programme for web application VA?
SGNIC’s sponsorship programme for web application VA specifically covers the cost of a SGNIC accredited registrar’s engagement of a pre-screened security vendor for the conduct of web application VA testing, based on the defined scope of work as set out here. The scope of work includes one post/follow-up VA test review. For the avoidance of doubt, SGNIC does not provide sponsorship funding for tasks that fall outside of the aforementioned scope of work (e.g. additional post/follow-up VA test reviews).
How long does SGNIC intend to make available the funding under the sponsorship programme for web application VA?
Under the sponsorship, SGNIC will provide funding support for an initial period of 3 years from 1 January 2019. SGNIC intends to subsequently review if funding support should be continued after this initial period.
Can a SGNIC accredited registrar apply for sponsorship more than once?
Yes, each SGNIC accredited registrar may apply for sponsorship for web application VA testing of up to 3 times within 3 years. However, to ensure that the web application VA tests performed are spread out over the 3 years, SGNIC requires that the registrar’s 2nd and 3rd sponsorship application dates must be at least 6 months after the final VA test report date of the previous sponsorship application. 
How can a SGNIC accredited registrar apply to be considered for SGNIC’s sponsorship programme for web application VA?
A SGNIC accredited registrar that meets SGNIC’s requirements to qualify for the sponsorship programme for VA can apply to be considered for the sponsorship by completing the sponsorship application form and by submitting the completed application to [email protected]

Successful applications will be required to accept the Letter of Offer containing the terms and conditions. A sample letter of offer and its annexes are provided below:
Sample Letter-of-Offer (LoF)
Annex 1 of LoF Terms and Conditions
Annex 2 of LoF Qualifying Costs
Annex 3 of LoF Claims Form
What is the start and end date for a SGNIC accredited registrar to submit its sponsorship application?
SGNIC accredited registrars may submit their duly completed sponsorship application forms between 1 Jan 2019 to 31 Dec 2021. 
How long will SGNIC take to process an application?
SGNIC will take approximately 10 business working days (Singapore time zone) to process each application under normal circumstances.
Can a SGNIC accredited registrar ask a pre-screened security vendor to commence work before its sponsorship application is approved?
No, the SGNIC accredited registrar applying for sponsorship to seek funding support should wait until its sponsorship application has been approved by SGNIC before asking the security vendor to commence work. Any sponsorship claims pertaining to work done or for web application VA tests conducted prior to SGNIC’s approval of the sponsorship application or before the date indicated on the registrar’s Acceptance Form to SGNIC’s Letter of Offer, will be rejected.
When can a sponsored SGNIC accredited registrar submit its claim?
A sponsored SGNIC accredited registrar should only submit its claim under SGNIC’s sponsorship programme for web application VA after it has received the final VA test report from the security vendor, and has fully paid the monies due to the security vendor for the work done in respect of the web application VA testing. For the avoidance of doubt, SGNIC will only issue the sponsorship funds as may be approved after confirmation of the quantum claimed, and verification that the expenses for the web application VA testing have been incurred and paid for by the registrar.
Can SGNIC issue the sponsorship funds to a third party e.g. the security vendor engaged by the SGNIC accredited registrar?
No, SGNIC will issue the sponsorship funds payable under SGNIC’s sponsorship programme for web application VA directly to the sponsored SGNIC accredited registrar only.
Is there a time limit for sponsored SGNIC accredited registrars to submit their sponsorship claims?
Yes, sponsored SGNIC accredited registrars must submit their claims forms within 9 months from the date of SGNIC’s Letter of Offer. This means that the registrars must complete the process of sponsorship application, vendor engagement, VA test, system fixes, post/follow-up VA test, vendor payment and sponsorship claim within the 9 months. Registrars should endeavour to complete the VA test and make the claim as soon as possible after the sponsorship has been approved. Any requests for extension of sponsorship claims due dates must be submitted to SGNIC in writing prior to the deadlines. Any requests for extension are subject to SGNIC’s approval.
What are the documents required for submission to SGNIC for sponsorship claim?
Please submit the completed claim form and relevant documents as stated below:
1. Completed Web Application VA Sponsorship Claims Form;
2. Copy of the invoice issued by the IT security vendor as indicated in the Letter of Offer;
3. Copy of the proof of payment (receipt/tax invoice) issued by the SGNIC pre-screened IT security vendor as indicated in the Letter of Offer;
4. Copy of the contract/agreement with the vendor, which shall include the scope of work, project deliverables, project commencement and completion dates, and project costings; and
5. Final VA report, stating the date of the final VA test conducted, with no “high” and “medium” risk findings; or with explanations on why the risks are accepted by registrar’s management (SGNIC reserves the right to accept or reject the Registrar’s explanations).
How long will SGNIC take to disburse the sponsorship funds?
SGNIC will take approximately 2 months to disburse the sponsorship funds upon receipt and verification of the fully completed sponsorship claim forms.
Can a SGNIC accredited registrar also apply for sponsorship funding from SGNIC to put in place other security protection measures?

No. At present, SGNIC’s sponsorship programme for VA only covers funding for web application VA testing under SGNIC’s Mandatory Security Requirement for Renewal of Registrar Accreditation. SGNIC may consider whether to revise the sponsorship programme to provide funding for other security programmes in the future.