Our department protects our information systems and the data they hold. We encourage the security community to report any potential vulnerabilities to us directly.
If you think you have found a potential vulnerability in one of our systems, please tell us as soon as possible.
We cannot pay you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability, unless you tell us not to.
Security research in scope of this policy
This vulnerability disclosure policy covers any product or service wholly owned by our department to which you have lawful access.
Security research out of scope of this policy
Our vulnerability disclosure policy does not cover:
- social engineering or phishing
- weak or insecure SSL ciphers or certificates
- denial of service (DOS)
- physical attacks against our department, its employees or property belonging to us or our employees
- attempts to modify or destroy data
- actions that violate Australian law.
How to report a vulnerability
Please email Vulnerability.Disclosure@industry.gov.au
When reporting a potential vulnerability, please provide as much of the below information as possible to help us to understand the issue:
- website or supporting product version containing the vulnerability
- system or environment information in which the issue was reproduced (browser, operating system etc.)
- vulnerability type or classification (RCE, XSS, CWE, etc.)
- step-by-step instructions to reproduce the vulnerability
- proof-of-concept or exploit code
- potential impact of the vulnerability (if known).
We operate this policy under the responsible disclosure method. Please do not disclose the vulnerability until we have had time to fix it. We will:
- respond to your report within 5 business days
- keep you informed of our progress
- agree on a date for public disclosure.
People who have disclosed vulnerabilities to us
We list names or aliases of people who have identified and disclosed vulnerabilities to us.
- Parth Narula
- Mohamed Akees