Vulnerability disclosure policy

How security researchers can tell us about potential security vulnerabilities.

Our department protects our information systems and the data they hold. We encourage the security community to report any potential vulnerabilities to us directly.

If you think you have found a potential vulnerability in one of our systems, please tell us as soon as possible.

We cannot pay you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability, unless you tell us not to.

Security research in scope of this policy

This vulnerability disclosure policy covers any product or service wholly owned by our department to which you have lawful access.

Security research out of scope of this policy

Our vulnerability disclosure policy does not cover:

  • clickjacking
  • social engineering or phishing
  • weak or insecure SSL ciphers or certificates
  • denial of service (DOS)
  • physical attacks against our department, its employees or property belonging to us or our employees
  • attempts to modify or destroy data
  • actions that violate Australian law.

How to report a vulnerability

Please email

When reporting a potential vulnerability, please provide as much of the below information as possible to help us to understand the issue:

  • website or supporting product version containing the vulnerability
  • system or environment information in which the issue was reproduced (browser, operating system etc.)
  • vulnerability type or classification (RCE, XSS, CWE, etc.)
  • step-by-step instructions to reproduce the vulnerability
  • proof-of-concept or exploit code
  • potential impact of the vulnerability (if known).

We operate this policy under the responsible disclosure method. Please do not disclose the vulnerability until we have had time to fix it. We will:

  • respond to your report within 5 business days
  • keep you informed of our progress
  • agree on a date for public disclosure.

People who have disclosed vulnerabilities to us

We list names or aliases of people who have identified and disclosed vulnerabilities to us.

  • Vijay Sutar
  • Adrian Tirado Garcia
  • Parth Narula
  • Mohamed Akees


Was this page helpful?

Was this page useful?

Thank you for your feedback!

Would you like to tell us more about your experiences with this page? (optional)

Feedback you provide will not be directly answered. If you require a reply, please reach out to the page contact directly. For any other queries, please use our general enquiries web form.

Please do not include personal or financial information (e.g. email addresses, phone numbers or credit card details).

Your feedback is covered by our privacy policy.