Vulnerability Disclosure Program

We work hard to ensure data and our online systems are secure and protected. Despite our efforts, there may still be vulnerabilities.

Our Vulnerability Disclosure Program encourages members of the security community to report security vulnerabilities to us. If you think you have found a vulnerability in one of our systems, please contact us as soon as possible.

We will not compensate you for finding potential or confirmed vulnerabilities, but with your consent will recognise you in our contributing researchers register. 

What the program covers

Our security Vulnerability Disclosure Program covers:

• any product, system or service that belongs to us entirely and which you are authorised to use/have lawful access to
• any services that are owned by third parties but are used as part of our services, which you are authorised to use

Under this program you must not:

• publicly disclose information regarding vulnerabilities in our systems
• engage in physical testing of our facilities
• leverage deceptive techniques, such as social engineering, against our employees, contractors or any other party
• execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
• leverage automated vulnerability assessment tools
• introduce malicious software or similar harmful software that could impact our services, products, customers or any other party
• engage in unlawful or unethical behaviour
• reverse engineer our products or systems
• modify, destroy, exfiltrate or retain data we store
• submit false, misleading or dangerous information to our systems
• access or attempt to access accounts or data that does not belong to you.

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

• weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
• misconfigured DNS (domain name system) records such as SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
• missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
• theoretical cross-site request forgery and cross-site framing attacks.

How to report a vulnerability

To report a potential vulnerability, email cyber@moadoph.gov.au

Provide as much information as possible, including:

• the version of the website or supporting product that contains the vulnerability
• information about the system or environment where the issue was reproduced (such as the browser, operating system, etc.)
• the vulnerability type or classification (for example, RCE, XSS, CWE)
• step-by-step instructions for reproducing the vulnerability
• any proof-of-concept or exploit code you may have
• the potential impact of the vulnerability, if known
• name of the test accounts you created (where applicable)
• date the vulnerability was identified
• your contact details (if we need to request any additional information to address the concern).

We will treat your report and any personal information you provide to us in accordance with our privacy policy.

We ask that you maintain confidentiality. Do not disclose any potential security vulnerabilities publicly without our written consent.

Next steps

When you report a vulnerability, we will:

• reply with an initial response within 4 business days
• publicly recognise your contribution to our program, with your permission. Public recognition will only occur after we have confirmed the validity of your report.

We will not:

• financially compensate you for reporting
• share your details with any other organisation without your permission.

If you have any questions, contact us at cyber@moadoph.gov.au

People who have reported vulnerabilities to us

Gokuleshwaran BharathKumar

Devansh Chauhan