Vulnerability Disclosure Program

This program offers security researchers and department clients a direct contact method to report potential security vulnerabilities in the department's technology systems.

About the policy

We prioritise system security but recognise vulnerabilities may occur. Use this Vulnerability Disclosure Program (VDP) to report any potential vulnerabilities you find in our systems, services, or products by submitting a response via the process outlined below.

We will not compensate you for finding potential or confirmed vulnerabilities. We may, however, provide public credit to you as the person who discovered the vulnerability on this page where appropriate and with your consent.

The purpose of this program is to receive, assess and remediate cyber vulnerabilities. We encourage good-willed security researchers, professionals and online users of our systems to report vulnerabilities.

This program is not for general departmental services enquiries. We will not respond to contact through this process that is not about a specific potential security vulnerability of our technology systems.

Security research within scope of this policy

This policy covers:

  • Any product or service wholly owned by DAFF to which you have lawful access.

Security research out of scope of this policy

This policy does not cover:

  • Clickjacking
  • Social Engineering or phishing
  • Weak or insecure SSL ciphers or certificates
  • Denial of Service (DOS)
  • Physical attacks against DAFF, its employees or property belonging to DAFF or its employees
  • Attempts to modify or destroy data
  • Actions that violate Australian law

How to report a vulnerability

We operate our VDP under the responsible disclosure method and ask that you do not disclose the vulnerability to anyone else or publicly, until we have told you that we have investigated and/or mitigated the vulnerability.

We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy.

To report a potential security vulnerability email VulnerabilityDisclosure@aff.gov.au

Provide as much information as you can to enable replication and validation of the vulnerability. Where applicable, outline the following:

  • details of the potential security vulnerability including a list of potentially affected products and services if possible
  • steps to reproduce the vulnerability and any proof-of-concept code where applicable
  • names of any test accounts you have created if applicable
  • your contact details if you choose
  • whether you would like public acknowledgement for your contribution in the acknowledgments section of this page. Include the name you want us to use for you.

We will:

  • Respond to your report within 5 business days if we determine that the report is accurate and in-scope
  • Credit you as the person who discovered the vulnerability where appropriate and where you have consented to public acknowledgement.

We will not:

  • pay you for reporting
  • share your details with any other organisation without your permission.