The security of our systems and the data we hold is a critical priority for DFAT. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to responsibly share their findings with us. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please tell us as quickly as possible.
What this policy covers
This policy covers:
Products or services operated by DFAT to which you have lawful access.
This policy does not cover:
Clickjacking
Social engineering or phishing
Weak or insecure SSL ciphers and certificates
Denial of service (DoS or DDoS) attacks
Posting, transmitting, uploading, linking to, or sending any malware
Physical attacks
Attempts to modify or destroy data
Attempts to extract or exfiltrate sensitive data
Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
Authorisation
This policy does not authorise individuals or groups to undertake hacking or penetration testing against DFAT ICT systems. This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
As an Australian Government agency, we cannot compensate you for finding potential or confirmed vulnerabilities. With your permission, we can recognise you by publishing your name or alias.
How to report a vulnerability
To report a vulnerability, email us at Vulnerability[.]Disclosure[@]dfat.gov.au and include enough detail so we can reproduce your steps and remediate the vulnerability.
If you report a vulnerability under this policy, you should keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
What happens next
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
We will:
Acknowledge that your report has been received within 5 business days and commence a review of the submission
Keep you informed of our progress
Maintain an open dialogue to discuss issues
If deemed appropriate, publicly declare the identified vulnerability.