Vulnerability Disclosure Policy

Our security vulnerability disclosure policy gives security researchers and the community a point of contact with us. We encourage you to tell us if you find a potential vulnerability within our systems, services or products.

On this page:

About the policy

The security of our systems is our top priority. We take every care to keep them secure. But despite our efforts, they may still be vulnerable.

We are keen to engage with the security community. Our security vulnerability disclosure policy allows you to responsibly share your findings with us.

If you think you have identified a vulnerability in one of our systems, services or products, report it to us as quickly as possible.

As an Australian Government agency, we can't compensate you for finding potential or confirmed vulnerabilities. However, if you opt-in, we can recognise you by publishing your name or alias on this page.

If you think a vulnerability exists, please report it to us. We can test and verify it.

The privacy statement for the Vulnerability Disclosure Program is available to view.

Security research within scope of this policy

This policy covers:

  • Any product or service wholly owned by our department to which you have lawful access
  • Any product or service wholly owned by one of our participating client entities to which you have lawful access.

Security research out of scope of this policy

This policy does not cover:

  • Clickjacking
  • Social engineering or phishing against government employees, contractors or any other party
  • Physical attacks against the department, portfolio agencies, their employees or property belonging to the department, portfolio agencies, or their employees
  • Attempts to modify, destroy or exfiltrate data
  • Resource exhaustion attacks such as Denial of Service (DoS) or Distributed DoS (DDoS)
  • The leveraging of automated vulnerability assessment tools

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • Weak or insecure SSL ciphers or certificates
  • Misconfigured or missing DNS records, including, but not limited to SPF (sender policy framework) or DMARC (domain-based message authentication, reporting and compliance).

How to report a vulnerability

Please email with enough detail, so that we can replicate and validate the vulnerability.

We operate our VDP under the responsible disclosure method and ask that you do not disclose the vulnerability until we have had enough time to remediate it.

We will:

  • Respond to your report within 5 business days
  • Keep you informed of our progress
  • Agree upon a date for public disclosure
  • Credit you as the person who discovered the vulnerability unless you ask us not to.

People who have disclosed vulnerabilities

The names or aliases of people who contribute to our security vulnerability disclosure program will be published with their permission and shown below:

  • Nukjir Tdejiyv
  • Parth Narula
  • Vaibhav Jain
  • B.Gokuleshwaran Bharathkumar
  • Hritom Bhattacharya