If you have found a potential security vulnerability in our ICT systems, you can report it.

About this policy

The security of our systems and the data we hold is a critical priority for us. We make every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.

This policy allows security researchers to share their findings with us in good faith. If you think you have found a vulnerability in our ICT systems, services or products, tell us as soon as possible.

We won't compensate you for finding vulnerabilities. If you haven't exploited or disclosed the vulnerability too soon, we won't take any legal action against you.

What this policy covers

This policy covers any product or service operated by us that you have lawful access to.

This policy does not authorise individuals or groups to undertake hacking or penetration testing against our ICT systems. It does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

How to report a vulnerability

To report a vulnerability, email ITSA@cer.gov.au. Include enough detail so we can copy your steps.

If you report a vulnerability, you must keep it confidential. Don’t make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, we may take legal action.

What happens next

We‘ll reply to your report within 21 business days. We may contact you for more information. We’ll keep you updated at our discretion.