At NCSA, we believe we need everyone's help in securing our nation. We know there are incredibly talented individuals with specialized skills capable of uncovering issues within our digital ecosystem.

We encourage your enthusiasm and passion for cybersecurity. This program is our way to officially acknowledge your valuable contributions in making our nation a more secure digital space.

"When it comes to our nation, If not us then who? If not now then when?"

To fully embrace our motto of Nurture talent, Collaborate for strength, Secure our digital future, and Adapt to new challenges, we are excited to launch the NCSA Bug Bounty Program.

We recognize contributions at three distinct levels. Level 1 is the only available option now. The Levels 2 and 3 will be introduced in the future based on our maturity as an agency as well as maturity of those who report vulnerabilities. Participants who submit valid vulnerability reports will be awarded official, verifiable certificates from NCSA.

These certificates can be validated directly through our website, adding significant credibility and value to your recognized efforts in bolstering national cybersecurity.

If you have discovered any vulnerability or security concern within NCSA-managed or other national digital systems, please report it through our secure Message Us feature.

This system uses a simple email-based OTP verification for initial contact. We will investigate your findings thoroughly and acknowledge your valuable contribution.

NCSA does not authorise or encourage any actions that may harm government systems, services, or users. Any testing must be limited to safe verification without causing impact.

The National Cyber Security Agency (NCSA)’s Bug Bounty Programme is a non-commercial, voluntary national initiative aimed at promoting responsible vulnerability disclosure and strengthening cybersecurity resilience across government systems. While the programme accepts reports anonymously, certificates can only be issued following appropriate verification, in accordance with existing programme regulations. Participation does not establish any employment, contractual relationship, or entitlement to monetary or other rewards. All recognitions are granted solely at the discretion of NCSA and are subject to established processes, committee review and approval. Participants must act in good faith and strictly within ethical boundaries. This programme only accepts responsible reporting of vulnerabilities and does not permit: Exploitation of vulnerabilities, Data exfiltration or access to sensitive information, Privacy violations, Service disruption or system impairment and Any form of intrusive or harmful testing. Any violation of these principles may result in disqualification, revocation of recognition, and legal action where applicable.