Vulnerability disclosure policy

About Austrade

How we can help you

News and analysis

Browse the latest Austrade news, analysis and publications. Explore timely stories about export, education, investment and other trade-related topics.

Events

Careers at Austrade

Careers at Austrade

Austrade offers great careers for people with a range of skills in Australia and overseas. Find out about what benefits we offer, how we recruit, and search for current vacancies.

About this policy

Protecting your information is our top priority. At Austrade, we strive to make our products and services safe and secure, but despite our best efforts, they may still be vulnerable.

The purpose of this policy is to enable security researchers and others to share their vulnerability findings with us. If you think you have found a potential vulnerability in an Austrade ICT product or service, please let us know as soon as possible.

As a government agency, we cannot compensate you for finding security vulnerabilities, whether potential or confirmed. Nor will we publish the names or details of anyone who reports them to us. However, you can be assured that your contribution to the public good is immensely appreciated.

What this policy covers

This policy covers information and communications technology (ICT) products or services owned or operated by the Australian Trade and Investment Commission (Austrade) to which you have lawful access.

This policy does NOT cover or authorise:

clickjacking
social engineering or phishing
weak or insecure SSL ciphers and certificates
denial of service (DoS), distributed denial of service (DDoS) or other resource exhaustion attacks
posting, transmitting, uploading, linking to, or sending any malware
physical attacks
attempts to modify, extract, exfiltrate or destroy data
any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Authorisation

This policy does not authorise individuals or groups to undertake hacking or penetration testing against Austrade ICT systems or to engage in any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

How to report a vulnerability

To report a security vulnerability, please use the vulnerability disclosure form on this website. Provide enough detail so that we can reproduce your steps and confirm the vulnerability.

Where feasible, please provide the following information:

name of the product or service containing the vulnerability
details of the system or environment in which the issue was reproduced (browser, operating system etc.)
step-by-step instructions to reproduce the vulnerability
proof-of-concept or exploit code (if applicable)
potential impact of the vulnerability (if known).

Please keep your findings confidential. Do not make your research public until we have fixed or mitigated the vulnerability and agreed upon a disclosure date.

What happens next

We will:

respond to your report within 5 business days
keep you informed of our progress
agree with you upon a date for public disclosure.

About this policy

What this policy covers

Authorisation

How to report a vulnerability

What happens next

Footer content