Vulnerability Disclosure Policy

About this policy

The security of our systems and the data we hold is a critical priority for DFAT. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.

This policy allows security researchers to responsibly share their findings with us. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please tell us as quickly as possible.

What this policy covers

This policy covers:

  • Products or services operated by DFAT to which you have lawful access.

This policy does not cover:

  • Clickjacking
  • Social engineering or phishing
  • Weak or insecure SSL ciphers and certificates
  • Denial of service (DoS or DDoS) attacks
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Physical attacks
  • Attempts to modify or destroy data
  • Attempts to extract or exfiltrate sensitive data
  • Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Authorisation

This policy does not authorise individuals or groups to undertake hacking or penetration testing against DFAT ICT systems. This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

As an Australian Government agency, we cannot compensate you for finding potential or confirmed vulnerabilities. With your permission, we can recognise you by publishing your name or alias.

How to report a vulnerability

To report a vulnerability, email us at Vulnerability[.]Disclosure[@]dfat.gov.au and include enough detail so we can reproduce your steps and remediate the vulnerability.

If you report a vulnerability under this policy, you should keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.

What happens next

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

We will:

  • Acknowledge that your report has been received within 5 business days and commence a review of the submission
  • Keep you informed of our progress
  • Maintain an open dialogue to discuss issues
  • If deemed appropriate, publicly declare the identified vulnerability.