About this policy
The security of our systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.
We are keen to engage with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible.
We will not compensate you for finding potential or confirmed vulnerabilities.
What this policy covers
This policy covers:
- any product or service wholly owned by our department to which you have lawful access
- any product or service wholly owned by one of our portfolio agencies to which you have lawful access.
This policy does not cover:
- clickjacking
- social engineering or phishing
- weak or insecure SSL ciphers and certificates
- denial of service (DoS)
- physical attacks
- attempts to modify or destroy data.
How to report a vulnerability
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed a secure process to enable reporting of a vulnerability. Please ensure all vulnerabilities are reported via their form.
What happens next
We will:
- be provided all verified vulnerabilities from ACSC
- be in touch to keep you informed of our remediation progress / agree upon a date for public disclosure
- credit you as the person who discovered the vulnerability (unless you prefer us not to).
People who have disclosed vulnerabilities to us
Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:
- Jebarson Immanuel J
- Ahmad Henry Mansour
- Vishnujith K.P
- Rebecca Howard
- Sachin Chaulagai
- Ishan Vyas
- Ali Alzahrani
- N Krishna Chaitanya
- Netan Mangal
- Hamoud Al-Helmani
- bad5ect0r
- Junting Zhu
- Redmission1337
- Pankaj Kumar Thakur
- Pritam Mukherjee
- Gourab Sadhukhan
- Shdeed Nawaf
- Siddhesh Joshi
- Anto Denvo J
- Mohd Danish Abid
- Jack Misiura
- Cyril Luk
- Rafael Figueredo Roberto
- Biswajeet Ray
- Ratchakrit Seriamnuai (Lenk)
- Arne Alano.