Vulnerability Disclosure Policy
About this policy
The security of OOSGG's systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.
OOSGG is keen to engage with the security community. This policy allows security researchers to share their findings with OOSGG. If you think you have found a potential vulnerability in an OOSGG system, service or product, please tell us as quickly as possible.
We do not provide compensation for finding potential or confirmed vulnerabilities, nor do we publish the names or details of researchers that have provided vulnerabilities.
What this policy covers
This policy covers:
-
any product or service wholly owned by OOSGG to which you have lawful access.
This policy does not cover:
-
clickjacking
-
social engineering or phishing
-
weak or insecure SSL ciphers and certificates
-
denial of Service (DoS)
-
physical attacks
-
attempts to modify or destroy data.
How to report a vulnerability
To report a vulnerability, please email email ITSA@gg.gov.au. Provide enough detail that we can reproduce your steps.
If you report a vulnerability under this policy, please keep it confidential. Do not make your research public until the OOSGG has finished investigating and fixed or mitigated the vulnerability.
What happens next
OOSGG will:
-
respond to your report within 5 business days
-
keep you informed of our progress
-
agree upon a date for public disclosure, if required.