External security vulnerability disclosure program

Our priority is to ensure the online security of our systems and we take every possible precaution to protect them. Despite our diligence, there are times where a possible vulnerability may exist.

We always welcome collaboration with both the security community and the public. To continue to foster this collaboration, we established a security vulnerability disclosure program.

We have designed the program so you can responsibly share any findings you have with us. If you believe you have discovered a vulnerability in any of our systems, you can report it to us through our vulnerability reporting portal.

Providing details in your report

If you find a vulnerability, please provide as much information as you can in your report. This will help us recreate the steps you took to find the vulnerability. This may include:

  • a description of the security vulnerability and its impact
  • the systems, users, and services affected (where possible)
  • potential steps to mitigate vulnerability.

We do not offer rewards such as money for discovering and reporting vulnerabilities.

We will provide public acknowledgement and thanks if you consent to us publicly identifying you.

Please note, our program does not grant permission for conducting security testing or operations against us. If you suspect a vulnerability, please inform us and we will manage the necessary testing and verification procedures.

Systems and services the program covers

Our security vulnerability disclosure program covers:

  • any product or service we operate which you have legitimate need to access
  • any product, service, and infrastructure we share with service partners, and which you have legal authorisation to access
  • any services owned by third parties but we use as a component of our services. You must also have legitimate need to access this component.

Under this program, you must not:

  • engage in physical testing of government facilities or services
  • leverage deceptive techniques, such as social engineering, against our employees, contractors, or any other party
  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
  • use automated vulnerability assessment tools
  • introduce malicious software or harmful software that could impact our services, products, customers or any other party
  • engage in unlawful or unethical behaviour
  • engage in reverse engineering of our products or systems
  • modify, destroy, exfiltrate, or retain data stored by us
  • provide deceptive, inaccurate, or hazardous information to our system
  • attempt to access accounts or data where you don’t have authorisation.

We ask that you do not disclose vulnerability information publicly. We also ask that you do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • SSL (secure sockets layer) or TLS (transport layer security) certificates that are weak, insecure, or misconfigured
  • DNS (domain name system) records that are misconfigured. This includes, but isn’t limited to SPF (sender policy framework) and DMARC domain-based message authentication reporting and conformance
  • missing security HTTP (hypertext transfer protocol) headers (such as permissions policy)
  • theoretical cross-site request forgery and cross-site framing attacks.

For more information about our processes for handling vulnerability reports, contact us at vulnerability reporting portal.

Other vulnerabilities to include in your report

Please report any cyber security vulnerabilities you discover in our systems. The systems covered by our security vulnerability disclosure program are:

  • any system we own
  • any system, service, and infrastructure that we offer to industry members and stakeholders
  • any services we offer through a third-party system.

Keeping you updated after making a report

We take all vulnerability reports seriously. We will stay in contact with you about the issue during and after our investigation into it.

We may:

  • request further information from you
  • periodically update you about our progress on fixing it
  • notify you when we have rectified the vulnerability.

With your permission, we will publish the name or names of those who found a vulnerability.

Last updated:
30 Nov 2023
Online version available at: https://www.casa.gov.au//about-us/reporting-and-accountability/external-security-vulnerability-disclosure-program
Back to top of page