Vulnerability Disclosure Policy

About this policy

The security of our systems and the data we hold is a critical priority for the CDPP. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.

This policy gives security researchers clear guidelines and a contact point to responsibly share their findings with us. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please tell us as quickly as possible.

What this policy covers

Our Vulnerability Disclosure Policy covers any products or services wholly owned by the CDPP to which you have lawful access.

What this policy doesn’t cover

Our vulnerability disclosure policy does not cover:

  • clickjacking
  • social engineering or phishing
  • weak or insecure SSL ciphers and certificates
  • denial of service (DoS or DDoS) attacks
  • posting, transmitting, uploading, linking to, or sending any malware
  • physical attacks
  • attempts to modify, extract or destroy data
  • any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Responsible security research

This policy does not authorise individuals or groups to undertake hacking or penetration testing against CDPP ICT systems. This policy does not cover any action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

To encourage responsible reporting, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability.

How to report a vulnerability

To report a potential security vulnerability email vulnerabilitydisclosure@cdpp.gov.au.

Please provide as much information as possible so we can reproduce and fix the vulnerability.

We ask you provide the following information:

  • an explanation of the potential security vulnerability
  • list of potentially affected products and services (where possible)
  • steps to reproduce the vulnerability
  • proof-of-concept code and/or screen shots (where applicable)
  • your contact details (optional).

After you make a report

When you report a vulnerability, we will:

  • confirm receipt of your report
  • keep you informed of our progress
  • work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.

We ask that you maintain confidentiality until we have remediated or mitigated the potential security vulnerability.

As an Australian Government agency, we can’t compensate individuals or organisations for finding potential or confirmed security vulnerabilities.