If you believe you have found a potential security vulnerability in ICT systems operated by us, you can report it.
About this policy
The security of our systems and the data we hold is a critical priority for us. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to share their findings with us in good faith. If you think you have found a potential vulnerability in one of our ICT systems, services or products, please tell us as quickly as possible.
We will not compensate you for finding potential or confirmed vulnerabilities. If you have not exploited the vulnerability or prematurely disclosed its possible existence, we will not take any legal action against you.
What this policy covers
This policy covers:
- any product or service operated by us to which you have lawful access.
This policy does not cover:
- clickjacking
- social engineering or phishing
- weak or insecure SSL ciphers and certificates
- denial of service (DoS or DDoS) attacks
- posting, transmitting, uploading, linking to, or sending any malware
- physical attacks
- attempts to modify or destroy data
- attempts to extract or exfiltrate sensitive data.
This policy does not authorise individuals or groups to undertake hacking or penetration testing against our ICT systems.
This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
How to report a vulnerability
To report a vulnerability, email ITSA@cer.gov.au.
Make sure you include enough detail so we can reproduce your steps.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, we may take legal action.
What happens next
We will:
- respond to your report within 5 business days
- keep you informed of our progress
- agree upon a date for public disclosure.