This policy provides guidelines for security researchers and members of the public on how to report vulnerabilities within our systems.
Please contact us as soon as possible if you think you have found a potential vulnerability in one of our systems.
What this policy covers
This policy applies to all products or services wholly owned by us that you can lawfully access.
What this policy doesn’t cover
This policy does not cover:
- clickjacking
- social engineering or phishing
- weak or insecure Secure Socket Layer (SSL) ciphers or certificates
- denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
- misconfigured Sender Policy Framework (SPF) or domain-based message authentication, reporting and compliance (DMARC) domain name service (DNS) records
- posting, transmitting, uploading, linking to, or sending any malware
- physical attacks
- attempts to modify or destroy data
- attempts to extract or exfiltrate sensitive data
- any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
Unauthorised security research
This policy doesn’t authorise individuals or groups to undertake hacking or penetration testing against our information communication technology (ICT) systems or platforms.
Crediting people who find vulnerabilities
We cannot pay you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability, unless you tell us not to.
Those who have discovered the vulnerability will have their name or alias listed on this page.
How to report a vulnerability
You can report vulnerabilities to us by email: vulnerability.disclosure@ipaustralia.gov.au
Please provide as much detail as possible, including but not limited to:
- a description of the potential vulnerability
- a list of our products or services that may be impacted
- step-by-step instructions on how to reproduce the vulnerability
- proof of concept code, screenshots, or any other relevant evidence
- your name (or alias) and contact details.
We operate this policy under the responsible disclosure method. Please do not disclose the vulnerability until we have had time to fix it.
After you have reported a vulnerability
When you have reported a vulnerability, we will:
- send you a reply that we received your report. This is typically sent within 5 business days during normal business operations
- forward your report to internal or external teams as necessary to start investigations
- send you progress report of vulnerability management if requested
- implement any changes and notify you once any vulnerabilities are fixed
- publish your name or alias in recognition (unless you advise otherwise).
People who have disclosed vulnerabilities
The following names or aliases are people who have identified and disclosed vulnerabilities to us:
-
Abhishek Srivastava (reported a vulnerability on the IP Australia website 13/08/2024).
Privacy collection notice
You can view the privacy statement for the Vulnerability Disclosure Program on our Privacy page.