About our policy

The online security of our systems, including our portal is our highest priority, and we strive to ensure our systems are secure. However, despite our best efforts, they may still have vulnerabilities.

We value collaboration with the security community, and our vulnerability disclosure policy provides a way for you to share your findings with us responsibly.

If you believe you have discovered a vulnerability in one of our products, services, or systems, please notify us promptly.

As an Australian Government agency, we cannot compensate you for identifying vulnerabilities, whether potential or verified. However, if you would like, we can acknowledge your efforts by featuring your name or alias on this page.

Our security vulnerability disclosure policy prohibits unauthorised security testing on our systems. If you suspect a vulnerability exists, report it to us and we will conduct testing to verify it.

Scope of this policy

Our policy applies to:

  • any product or service fully owned by us and lawfully accessible to you
  • any product, service, or infrastructure we provide to shared service partners and is lawfully accessible to you
  • third-party services used within our offerings that you have lawful access to.

Prohibited actions

Under our policy, you must not:

  • disclose vulnerability details publicly
  • conduct physical security tests on government facilities
  • use deceptive methods, like social engineering, on our staff, contractors, or others
  • perform resource exhaustion attacks such as Denial of service or Distribution denial of service
  • leverage automated vulnerability assessment tools
  • introduce harmful or malicious software affecting our services or customers
  • engage in unethical or illegal behaviour, including reverse-engineering our products of systems
  • modify, access, exfiltrate, or retain our data
  • submit false or harmful information to our systems.

What is not relevant for reporting

You do not need to report security vulnerabilities related to non-exploitable missing security features such as:

  • weak or misconfigured security sockets layers (SSL) or transport layer security (TLS) certificates
  • misconfigured domain name system records
  • missing HTTP security headers like permissions policies
  • theoretical cross-site request forgery or framing vulnerabilities.

How to report a vulnerability

To report a possible security vulnerability, email your findings to vulnerabilitydisclosure@tpb.gov.au and provide:

  • an explanation of the potential security vulnerability
  • affected products or services (if identifiable)
  • steps to replicate the vulnerability
  • proof-of-concept code (if applicable)
  • names of any test accounts that you created (if applicable)
  • your contact information.

We may reach out to you for additional information to address the issue. Reports will be handled confidentially in line with our TPB privacy policy.

It is important you maintain confidentiality and do not disclose details of potential security vulnerabilities without our written approval.

After you report a vulnerability

When you report a vulnerability, we will respond within 2 business days and acknowledge your contribution to our program.

We will not:

  • offer monetary compensation for your report
  • share your information with external organisations without your consent.

 

Last modified: 10 April 2025