Report a system security vulnerability

The ACT Government is committed to ensuring the security and integrity of our systems and data.  While we make every effort to keep our systems secure, vulnerabilities may still exist.

If you think you've identified a vulnerability in one of our systems, services or products, report it to us as quickly as possible.

We ask that you don't publicly disclose details of any potential security vulnerabilities without our written consent.

About the Vulnerability Disclosure Program

Our vulnerability disclosure program allows you to responsibly share your findings with us.

We appreciate the efforts of responsible security researchers and professionals.

The program outlines:

• what you can research
• how to report.

The program forms part of the ACT Government’s Cyber Security Policy.

The program does not authorise or endorse anyone to perform penetration testing or hacking against our systems.

What you can research

You can research any:

• product or service wholly owned by us to which you have lawful access
• product, service and infrastructure we provide to shared service partners to which you have lawful access
• services that are owned by third parties but used as part of our services that you have lawful access to.

Research that is not permitted

• Accessing or attempting to access accounts or data that does not belong to you
• Any activity that violates any law
• Attempts to modify or destroy data
• Automated vulnerability scan reports
• Clickjacking
• Denial of Service (DoS) or Distributed DoS (DDoS) attacks
• Disclosure of known public files or directories
• Exfiltrating any data under any circumstances
• Lack of Secure or HTTP Only flags on non-sensitive cookies
• Leverage deceptive techniques
• Physical attacks
• Posting, transmitting, uploading, linking to, or sending any malware
• Social engineering or phishing
• Testing third-party websites, applications, or services that integrate with services or products
• Usage of a known vulnerable library or framework without valid attack scenario

How to report

To report a potential security vulnerability, email details to ddtsictsecurity@act.gov.au.

What to include

Include your contact information and share as much information as possible, including:

• date the vulnerability was observed
• location of the vulnerability (e.g. URL, domain etc)
• an explanation of the potential security vulnerability
• a list of products and services that may be affected (where possible)
• steps to reproduce the vulnerability
• prior conditions (e.g. logged in, not logged in, previous actions etc) where applicable
• proof-of-concept code (where applicable)
• names of any files that were uploaded to our systems
• the names of any test accounts you have created (where applicable)
• if you would like public acknowledgement for your contribution and what name to publish.

Do not report security vulnerabilities relating to:

• missing security controls
• protections that are not directly exploitable.

Examples of these include:

• weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
• misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
• missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
• theoretical cross-site request forgery and cross-site framing attacks.

You may make public (disclose) vulnerabilities 90 days after reporting to us, unless otherwise agreed by both parties.

What happens next

When you report a vulnerability, we will:

• acknowledge that your report has been received within 5 business days
• commence a review of the submission
• maintain an open dialogue to discuss issues where appropriate.

With your permission, we can publicly acknowledge your contribution on this page. The vulnerability must be validated and you must commit to not publishing details elsewhere.

We will not:

• financially compensate you for reporting
• share your details with any other organisation without your permission.

People who have disclosed vulnerabilities

The names or aliases of security researchers that have disclosed vulnerabilities are published with permission.

Andrew Caron | ΩGuardian
Miles Greenwark | Agile Digital
M. Zaeem Shafqat
M K Rahul Rao & A Nikhil Kumar | Bugboy07 & SpiritBoy47

Contact us