Vulnerability Disclosure Policy

This policy is intended to give security researchers clear guidelines and a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within the Department of Social Services (the department or DSS).

About this policy

The security of our systems and the data we hold is a critical priority for the department. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.

This policy allows security researchers to responsibly share their findings with the department. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please advise the department as quickly as possible.

What this policy covers

  • Products or services wholly owned by the department to which you have lawful access
  • Products or services wholly owned by one of our portfolio agencies to which you have lawful access.

This policy does not cover:

  • Clickjacking
  • Social engineering or phishing
  • Weak or insecure SSL ciphers and certificates
  • Denial of service (DoS or DDoS) attacks
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Physical attacks
  • Attempts to modify or destroy data
  • Attempts to extract or exfiltrate sensitive data
  • Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Authorisation

This policy does not authorise individuals or groups to undertake hacking or penetration testing against DSS ICT systems. This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

How to report a vulnerability

To report a potential security vulnerability, send details to VulnerabilityDisclosure@dss.gov.au.

Provide as much information as possible, including:

  • An explanation of the potential security vulnerability
  • List products and services that may be affected (where possible)
  • Steps to reproduce the vulnerability
  • Proof-of-concept code (where applicable)
  • Your name (or alias) and contact details.

If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until the department has finished investigating, fixed or mitigated the vulnerability.  

What happens next

DSS cyber security is delivered by Services Australia. All vulnerabilities reported to the department under this policy will be forwarded to Services Australia who may contact you if more information if required.

When you report a vulnerability, the department will:

  • acknowledge your report has been received
  • forward your report to Services Australia
  • work with Services Australia to keep you informed of progress
  • with your permission, recognise you by publishing your name or alias to our program.

The department will only use or disclose personal information you provide with your report for the purposes of identifying and remedying potential security vulnerabilities. 

The department will not share your details with any organisation other than Services Australia without your permission.

If you do not provide your name (or alias) and contact details, the department and Services Australia will still investigate your report, but will not be able to recognise you or contact you if we have any queries about your report.

The department’s Privacy Policy contains more information about how we handle personal information, how you can access any personal information that we hold, and how to seek correction of personal information. It also contains information about how to make a complaint about a breach of the Australian Privacy Principles, as set out in the Privacy Act 1988 (Cth).

If you have any concerns or questions, you can contact us at complaints@dss.gov.au.

As an Australian Government agency, we cannot compensate you for finding potential or confirmed vulnerabilities.  

People who have disclosed vulnerabilities

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

Siya Uday Mapsekar
Maroine Youcefi
ABID AHMAD
Zaki Zarkasih Al Mustafa
nhiephon (https://twitter.com/_nhiephon)

Last updated: