Search

Report a system security vulnerability

About our security vulnerability disclosure program

The security of our online systems and the information they hold are our highest priority. We take every care to ensure that they are secure and up to date. However, we recognise that despite these efforts there may still be vulnerabilities. 

We welcome engagement from the security community and we are grateful for anyone sharing their findings with us to make our system, security even stronger. Our security vulnerability program provides an avenue for you to responsibly report any potential issues or vulnerabilities with us. 

If you think you have identified an issue or vulnerability in one of our systems, services or products, please report it to us as quickly as possible. 

As an Australian Government agency we are unable to compensate you for finding potential or confirmed vulnerabilities.  

Our program does not authorise you to conduct security testing against the IGTO. If you think a vulnerability exists, please report it to us. We can test and verify it and, where necessary, take action to address the vulnerability. 

Where we need to procure expert services to assist with addressing the vulnerability, we will undertake these procurement activities in accordance with the Commonwealth Procurement Rules. 

What the program covers

Our security vulnerability disclosure program covers: 

  • any product or service wholly owned by us to which you have lawful access 
  • any product, service and infrastructure we provide to shared service partners to which you have lawful access 
  • any services that are owned by third parties but utilised as part of our services that you have lawful access to. 

Under this program, you must not: 

  • disclose vulnerability information publicly 
  • engage in physical testing of government facilities 
  • leverage deceptive techniques, such as social engineering, against ATO employees, contractors or any other party 
  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service) 
  • leverage automated vulnerability assessment tools 
  • introduce malicious software or similar harmful software that could impact our services, products or customers or any other party 
  • engage in unlawful or unethical behaviour 
  • reverse engineer ATO products or systems 
  • modify, destroy, exfiltrate, or retain data stored by the IGTO 
  • submit false, misleading or dangerous information to IGTO systems 
  • access or attempt to access accounts or data that does not belong to you. 

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include: 

  •  weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates 
  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance) 
  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy) 
  • theoretical cross-site request forgery and cross-site framing attacks. 

How to report a vulnerability

To report a potential security vulnerability, send details to [email protected]. 

Provide as much information as possible, including: 

  •  an explanation of the potential security vulnerability 
  • listing the products and services that may be affected (where possible) 
  • steps to reproduce the vulnerability 
  • proof-of-concept code (where applicable) 
  • names of any test accounts you have created (where applicable) 
  • your contact details. 

We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy. 

We ask that you also maintain confidentiality. Please do not publicly disclose details of any potential security vulnerabilities without our written consent. 

What happens next

When you report a vulnerability, we will acknowledge your report within 2 business days. Unfortunately, we may be unable to share the outcomes or updates regarding any actions we have taken in relation to the vulnerability. 

We will not: 

  • financially compensate you for reporting 
  • share your details with any other organisation, without your permission 
  • Guarantee any future security or systems work. All procurement for external contractors will be undertaken in accordance with the Commonwealth Procurement Rules. 

People who have disclosed vulnerabilities

The names or aliases of people who contribute to our security vulnerability disclosure program are published below with their expressed written permission:

  • Parth Narula
  • Shivam Dhingra
  • Adrian Tirado Garcia

If you have any questions, contact us at [email protected].

About our security vulnerability disclosure program

The security of our online systems and the information they hold are our highest priority. We take every care to ensure that they are secure and up to date. However, we recognise that despite these efforts there may still be vulnerabilities. 

We welcome engagement from the security community and we are grateful for anyone sharing their findings with us to make our system, security even stronger. Our security vulnerability program provides an avenue for you to responsibly report any potential issues or vulnerabilities with us. 

If you think you have identified an issue or vulnerability in one of our systems, services or products, please report it to us as quickly as possible. 

As an Australian Government agency we are unable to compensate you for finding potential or confirmed vulnerabilities.  

Our program does not authorise you to conduct security testing against the IGTO. If you think a vulnerability exists, please report it to us. We can test and verify it and, where necessary, take action to address the vulnerability. 

Where we need to procure expert services to assist with addressing the vulnerability, we will undertake these procurement activities in accordance with the Commonwealth Procurement Rules. 

What the program covers

Our security vulnerability disclosure program covers: 

  • any product or service wholly owned by us to which you have lawful access 
  • any product, service and infrastructure we provide to shared service partners to which you have lawful access 
  • any services that are owned by third parties but utilised as part of our services that you have lawful access to. 

Under this program, you must not: 

  • disclose vulnerability information publicly 
  • engage in physical testing of government facilities 
  • leverage deceptive techniques, such as social engineering, against ATO employees, contractors or any other party 
  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service) 
  • leverage automated vulnerability assessment tools 
  • introduce malicious software or similar harmful software that could impact our services, products or customers or any other party 
  • engage in unlawful or unethical behaviour 
  • reverse engineer ATO products or systems 
  • modify, destroy, exfiltrate, or retain data stored by the IGTO 
  • submit false, misleading or dangerous information to IGTO systems 
  • access or attempt to access accounts or data that does not belong to you. 

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include: 

  •  weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates 
  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance) 
  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy) 
  • theoretical cross-site request forgery and cross-site framing attacks. 

How to report a vulnerability

To report a potential security vulnerability, send details to [email protected]. 

Provide as much information as possible, including: 

  •  an explanation of the potential security vulnerability 
  • listing the products and services that may be affected (where possible) 
  • steps to reproduce the vulnerability 
  • proof-of-concept code (where applicable) 
  • names of any test accounts you have created (where applicable) 
  • your contact details. 

We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy. 

We ask that you also maintain confidentiality. Please do not publicly disclose details of any potential security vulnerabilities without our written consent. 

What happens next

When you report a vulnerability, we will acknowledge your report within 2 business days. Unfortunately, we may be unable to share the outcomes or updates regarding any actions we have taken in relation to the vulnerability. 

We will not: 

  • financially compensate you for reporting 
  • share your details with any other organisation, without your permission 
  • Guarantee any future security or systems work. All procurement for external contractors will be undertaken in accordance with the Commonwealth Procurement Rules. 

People who have disclosed vulnerabilities

The names or aliases of people who contribute to our security vulnerability disclosure program are published below with their expressed written permission:

  • Parth Narula
  • Shivam Dhingra
  • Adrian Tirado Garcia

If you have any questions, contact us at [email protected].