To align with the Protective Security Policy Framework (PSPF), we must operate a Vulnerability Disclosure Program (VDP). A VDP is a set of processes and guidelines for identifying, verifying, fixing, and reporting security vulnerabilities, whether they come from internal or external sources. This webpage gives information about our External Vulnerability Disclosure Program.
We welcome the security community and public to work with us, and the VDP helps the responsible sharing of findings with us. We recognise the valuable role that security researchers, ethical hackers and other external entities play in improving our security posture.
This webpage outlines how to report potential security vulnerabilities, what information we need and our commitment to responding to those reports.
Scope
Our External Security Vulnerability Disclosure Program applies to any:
- product or service that we operate and which you have legitimate need to access
- product, service, and infrastructure that we share with service partners, and which you have legal authorisation to access
- services that third parties own but we use as a part of our services, and to which you have a legitimate need to access.
We list all our systems on the Our Systems webpage.
Your Responsibilities
Please note that this program does not grant permission for conducting security testing or operations against us. Under this program, any participant must not:
- engage in physical testing of government facilities or services
- use deceptive techniques, such as phishing or social engineering
- perform resource exhaustion attacks, such as denial of service or distributed denial of service
- utilise automated vulnerability assessment, exploitation or penetration testing tools
- introduce malicious software that could affect our services, products, customers or any other party
- engage in unlawful or unethical behaviour
- engage in reverse engineering of our products or systems
- modify, destroy, exfiltrate, or keep data stored by us
- input deceptive, inaccurate, or hazardous information to our systems
- try to gain unauthorised access accounts or data.
We ask that you do not:
- disclose vulnerability information publicly
- report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:
- SSL (secure sockets layer) or TLS (transport layer security) certificates that are weak, insecure, or misconfigured
- misconfigured DNS (domain name system) records, such as SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
- missing security HTTP (hypertext transfer protocol) headers (such as permissions policy)
- theoretical cross-site request forgery and cross-site framing attacks.
Recognition
We value collaboration and look to help responsible sharing of findings.
We will recognise and publicly thank you for your efforts if both:
- your report leads to a valid security fix or identification of vulnerability in any CASA-owned system
- you consent.
We do not offer monetary rewards or a bug bounty initiative.
Vulnerability Disclosure
Our priority is to ensure the security of our systems, and that we have taken every practical precaution to protect them. Despite our diligence, there remains a possibility that a vulnerability may exist. If you believe you’ve found a vulnerability in our systems, we want to hear from you. You can report it to us through our vulnerability reporting portal.
This section provides guidance on making a report.
What to Report
In your report, please give relevant information to allow recreation of the steps you took to find the vulnerability. Appendix A outlines the Vulnerability Reporting Form and below are the details of fields that are mandatory.
Details of vulnerability
Give details of the system affected, including:
- system name, version number
- IP or URL
- your device details including: device type, OS, etc.
Give information about the vulnerability including:
- a description of the security vulnerability and its effects
- steps to replicate your discovery of the vulnerability
- potential steps to mitigate vulnerability
- proof-of-concept code (where applicable)
- names of any test accounts you have created (where applicable).
Provide your consent to agreeing with this program. Failing to do so will prevent submission of the report.
Contact Details
If you wish us to contact you, provide details in any of the optional fields including:
- name
- phone number
- email address.
When to Report
Please submit your report as soon as possible, following:
- discovery of a vulnerability of a system as outlined in Scope
- collection of information satisfy the requirements of How to Report.
How to Report
Report any cybersecurity vulnerabilities you discover in our systems through our vulnerability reporting portal.
Vulnerability Assessment and Treatment
We will assess and treat the vulnerability report in line with internal CASA procedures. Following replication and confirmation, we will start measures to fix and mitigate it.
We will notify you of progress during this stage. We may request further information from you if required.
Outcome Notification and Publishing of Findings
Following Vulnerability Assessment and Treatment, we will tell you of the outcome. Pending your permission, we will publish your name in public recognition of your discovery of the vulnerability.