Vulnerability disclosure policy

This policy provides guidelines for security researchers and members of the public on how to report vulnerabilities within our systems.

This policy provides guidelines for security researchers and members of the public on how to report vulnerabilities within our systems.

Please contact us as soon as possible if you think you have found a potential vulnerability in one of our systems.

What this policy covers

This policy applies to all products or services wholly owned by us that you can lawfully access. 

What this policy doesn’t cover

This policy does not cover:

  • clickjacking
  • social engineering or phishing
  • weak or insecure Secure Socket Layer (SSL) ciphers or certificates
  • denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • misconfigured Sender Policy Framework (SPF) or domain-based message authentication, reporting and compliance (DMARC) domain name service (DNS) records
  • posting, transmitting, uploading, linking to, or sending any malware
  • physical attacks
  • attempts to modify or destroy data
  • attempts to extract or exfiltrate sensitive data
  • any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Unauthorised security research 

This policy doesn’t authorise individuals or groups to undertake hacking or penetration testing against our information communication technology (ICT) systems or platforms. 

Crediting people who find vulnerabilities

We cannot pay you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability, unless you tell us not to.

Those who have discovered the vulnerability will have their name or alias listed on this page.

How to report a vulnerability

You can report vulnerabilities to us by email: vulnerability.disclosure@ipaustralia.gov.au

Please provide as much detail as possible, including but not limited to:

  • a description of the potential vulnerability
  • a list of our products or services that may be impacted
  • step-by-step instructions on how to reproduce the vulnerability
  • proof of concept code, screenshots, or any other relevant evidence
  • your name (or alias) and contact details.

We operate this policy under the responsible disclosure method. Please do not disclose the vulnerability until we have had time to fix it.

After you have reported a vulnerability

When you have reported a vulnerability, we will:

  • send you a reply that we received your report. This is typically sent within 5 business days during normal business operations
  • forward your report to internal or external teams as necessary to start investigations
  • send you progress report of vulnerability management if requested
  • implement any changes and notify you once any vulnerabilities are fixed
  • publish your name or alias in recognition (unless you advise otherwise).

People who have disclosed vulnerabilities

The following names or aliases are people who have identified and disclosed vulnerabilities to us:

  • No vulnerabilities have been identified and disclosed at this time.

Privacy collection notice

You can view the privacy statement for the Vulnerability Disclosure Program on our Privacy page.

Report a bug.

 

Related content

Privacy

Our application and administration processes involve collecting and using personal information. We respect your privacy and follow the Privacy Act 1988 (Privacy Act) when handling your information.  

Privacy

Copyright

Learn more about using the content on our website and our content policy.  

Copyright notice

Disclaimer

The following applies to all content on our website, including pages, images, videos and downloads.

Disclaimer policy

System maintenance

We do regular system maintenance to maintain and upgrade our online services. We'll let you know when this is happening to minimise any impacts on you.  

Our system availability
Our website uses cookies to improve your experience.
Learn more about how we use and collect data