This policy gives a person a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within ICT systems operated by the Clean Energy Regulator (CER).
The security of our systems and the data we hold is a critical priority for the CER. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to share their findings with us in good faith. If you think you have found a potential vulnerability in one of our ICT systems, services or products, please tell us as quickly as possible.
We will not compensate you for finding potential or confirmed vulnerabilities. If you have not exploited the vulnerability or prematurely disclosed its possible existence, the CER will not take any legal action against you.
This policy covers:
This policy does not cover:
This policy does not authorise individuals or groups to undertake hacking or penetration testing against the CER ICT systems.
This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
To report a vulnerability, email
ITSA@cer.gov.au and include enough detail so we can reproduce your steps.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, the CER may take legal action.
About The Clean Energy Regulator
Carbon Pricing Mechanism
National Greenhouse And Energy Reporting
Renewable Energy Target
Emissions Reduction Fund
Our Systems And Their Resources
Clean Energy Markets
Data and information
Emissions Reduction Assurance Committee
Subscribe to email updates
Information Publication Scheme
Freedom of Information
The Clean Energy Regulator is a Government body responsible for accelerating carbon abatement for Australia.