Our security vulnerability disclosure policy gives security researchers and the community a point of contact with us. We encourage you to tell us if you find a potential vulnerability within our systems, services or products.
On this page:
About the policy
The security of our systems is our top priority. We take every care to keep them secure. But despite our efforts, they may still be vulnerable.
We are keen to engage with the security community. Our security vulnerability disclosure policy allows you to responsibly share your findings with us.
If you think you have identified a vulnerability in one of our systems, services or products, report it to us as quickly as possible.
As an Australian Government agency, we can't compensate you for finding potential or confirmed vulnerabilities. However, if you opt-in, we can recognise you by publishing your name or alias on this page.
If you think a vulnerability exists, please report it to us. We can test and verify it.
The privacy statement for the Vulnerability Disclosure Program is available to view.
Security research within scope of this policy
This policy covers:
- Any product or service wholly owned by our department to which you have lawful access
- Any product or service wholly owned by one of our participating client entities to which you have lawful access.
Security research out of scope of this policy
This policy does not cover:
- Social engineering or phishing against government employees, contractors or any other party
- Weak or insecure SSL ciphers or certificates
- Misconfigured SPF (sender policy framework) or DMARC (domain-based message authentication, reporting and compliance) DNS records
- Resource exhaustion attacks such as Denial of Service (DoS) or Distributed DoS (DDoS)
- Physical attacks against the department, portfolio agencies, their employees or property belonging to the department, portfolio agencies, or their employees
- Attempts to modify, destroy or exfiltrate data
How to report a vulnerability
Please email VulnerabilityDisclosure@dewr.gov.au with enough detail, so that we can replicate and validate the vulnerability.
We operate our VDP under the responsible disclosure method and ask that you do not disclose the vulnerability until we have had enough time to remediate it.
- Respond to your report within 5 business days
- Keep you informed of our progress
- Agree upon a date for public disclosure
- Credit you as the person who discovered the vulnerability unless you ask us not to.