Security & Feedback

Found an issue? We want to know.

Whether you've spotted a security vulnerability in one of our products or have feedback to share — thank you for taking the time. We read every report.

Vulnerability Disclosure

If you've discovered a security vulnerability in any better.sg product, website, or infrastructure, please disclose it responsibly. We are a volunteer-run charity — we genuinely appreciate your help keeping our tools safe.

What to include

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • The affected product, URL, or system
  • Any proof-of-concept code or screenshots (if applicable)

Our commitment to you

  • We will acknowledge your report within 5 business days
  • We will keep you informed as we investigate and remediate
  • We will not pursue legal action against good-faith researchers
  • We will credit you publicly if you wish
Report a Vulnerability

Product Feedback

Using a tool built by better.sg? We'd love to hear what's working, what isn't, and what would make it more useful for you and your organisation.

What kind of feedback helps

  • Bugs or unexpected behaviour in a product
  • Accessibility or usability issues
  • Feature requests or missing functionality
  • General impressions from end users or NGO staff

What to mention

  • Which product or project you're referring to
  • Your role (NGO staff, volunteer, end user, etc.)
  • A description of the issue or suggestion
  • Screenshots or screen recordings if relevant
Send Feedback

Common questions

What counts as a security vulnerability?

Anything that could allow unauthorised access, data exposure, privilege escalation, or service disruption on our website or tools — including XSS, SQL injection, authentication bypasses, and misconfigured access controls.

Is there a bug bounty?

We are a volunteer-run charity with no budget for monetary bounties. We can offer public credit and a thank-you — and knowing you've helped protect vulnerable communities is pretty meaningful too.

What should I not do during research?

Please do not access, modify, or delete data that does not belong to you. Do not disrupt live services or perform denial-of-service testing. Do not publicly disclose the vulnerability before we have had a chance to remediate it.

Which products does this cover?

All tools, applications, and digital infrastructure operated by better.sg — including this website, any open-source tools we've deployed to NGOs, and our volunteer platforms.