AFSA’s Security Vulnerability Disclosure Policy

On this page

Reporting a system security vulnerability

This policy gives security researchers a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within the systems, services, or software of the Australian Financial Security Authority.

About this policy

The security of our systems and services is our top priority, and we make every effort to keep them secure. Despite this, they may still have one or more vulnerabilities.

Engagement with the security community is a key priority for us. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our systems, services, or products, please tell us as quickly as possible.

Note that our policy doesn't authorise you to conduct security testing against AFSA services or infrastructure, and we will not compensate you for finding potential or confirmed vulnerabilities. If you think a vulnerability exists, report it to us. We can test and verify it.

What this policy covers

Our security vulnerability disclosure policy covers:

  • any product or service wholly owned by us to which you have lawful access
  • any product, service, and infrastructure we provide to shared service partners to which you have lawful access
  • any services that are owned by third parties but utilised as part of our services that you have lawful access to.

Under this policy, you must not:

  • disclose vulnerability information publicly without our written agreement
  • engage in physical testing of government facilities
  • leverage deceptive techniques, such as social engineering, against AFSA employees, contractors or any other party
  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
  • leverage automated vulnerability assessment tools
  • introduce malicious software or similar harmful software that could impact our services, products, clients or any other party
  • engage in unlawful or unethical behaviour
  • reverse engineer AFSA products or systems
  • modify, destroy, exfiltrate, or retain data stored by AFSA
  • submit false, misleading, or dangerous information to AFSA systems
  • access or attempt to access accounts or data that does not belong to you.

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
  • theoretical cross-site request forgery and cross-site framing attacks.

How to report a vulnerability

To report a potential security vulnerability, email VulnerabilityDisclosure@afsa.gov.au.

Please provide as much information as possible, including:

  • an explanation of the potential security vulnerability
  • listing the products and services that may be affected (where possible)
  • steps to reproduce the vulnerability
  • proof-of-concept code (where applicable)
  • names of any test accounts you have created (where applicable)
  • your contact details.

We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our AFSA privacy policy.

We ask that you also maintain confidentiality. Please do not publicly disclose details of any potential security vulnerabilities without our written consent.

What happens next

We will:

  • respond to your report within 5 business days
  • keep you informed of our progress
  • discuss a date for public disclosure (be aware that provisions of the Privacy Act and other Government legislation may have an impact on those discussions)
  • credit you as the person who discovered the vulnerability, unless you prefer us not to

We will not:

  • compensate you in any way, including financially
  • share your details with any other organisation, without your permission.

If you have any questions, contact us at VulnerabilityDisclosure@afsa.gov.au.

Hall of Fame

The following people have contributed to our security vulnerability disclosure program (names or aliases published with permission):

  • Parth Narula.