Our vulnerability disclosure program
We take the continued integrity of our information systems seriously and we understand that security is a shared responsibility. We value the community’s role in identifying and reporting vulnerabilities, and supporting our ongoing work to keep our systems secure.
Our Vulnerability disclosure program allows security researchers to share their findings directly with us. If you believe you have discovered a security vulnerability in an Australian Prudential Regulation Authority system, service or product, please report it to us as soon as possible.
We cannot financially compensate you for reporting potential or confirmed vulnerabilities. However, with your consent we can recognise you by publishing your name or alias on this page.
The program does not authorise you to conduct security testing against our systems. If you think a vulnerability exists, please report it to us.
What the program covers
Our security vulnerability disclosure program covers:
- any product, system or service that belongs to us entirely and which you are authorised to use/have lawful access to
- any product, service, or infrastructure that we provide to shared service partners, which you are authorised to use
- any services that are owned by third parties but are used as part of our services, which you are authorised to access.
Under this program you must not:
- publicly disclose information regarding vulnerabilities in our systems
- engage in physical testing of government facilities
- leverage deceptive techniques, such as social engineering, against our employees, contractors or any other party
- execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
- leverage automated vulnerability assessment tools
- introduce malicious software or similar harmful software that could impact our services, products or customers or any other party
- engage in unlawful or unethical behaviour
- reverse engineer our products or systems
- modify, destroy, exfiltrate, or retain data we store
- submit false, misleading or dangerous information to our systems
- access or attempt to access accounts or data that does not belong to you.
Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:
- weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
- misconfigured DNS (domain name system) records such as SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
- missing security HTTP (hypertext transfer protocol) headers (e.g. permissions policy)
- theoretical cross-site request forgery and cross-site framing attacks.
Report a vulnerability
To report a potential security vulnerability, email the details to email@example.com.
What to include
- The version of the website or supporting product that contains the vulnerability
- Information about the system or environment where the issue was reproduced (such as the browser, operating system, etc.)
- The vulnerability type or classification (e.g. RCE, XSS, CWE)
- Step-by-step instructions for reproducing the vulnerability
- Any proof-of-concept or exploit code you may have
- The potential impact of the vulnerability, if known
- Name of the test accounts you created (where applicable)
- Date the vulnerability was identified
- Your contact details (if we need to request any additional information to address the concern)
We also ask that you maintain confidentiality and not disclose any potential security vulnerabilities publicly without our written consent.
What happens next
When you report a vulnerability, we will:
- reply with an initial response
- publicly recognise your contribution to our program with your permission.
Public recognition will only occur after we have confirmed the validity of your report.
We will not:
- financially compensate you for reporting
- share your details with any other organisation, without your permission.
If you have any questions, contact us at firstname.lastname@example.org.
People who have disclosed vulnerabilities
The following people have contributed to our security vulnerability disclosure program (names or aliases published with permission):
No names currently listed.