About this policy

The security of our systems is our highest priority. We take every care to keep them secure. But despite our efforts, they may still be vulnerable.

Our security vulnerability disclosure policy allows you to share your findings with us.

As an Australian Government agency, we are unable to compensate you for finding potential or confirmed vulnerabilities. However, with consent, we can recognise your contribution by publishing your name or alias on this page.

What the policy covers

Our security vulnerability disclosure policy covers:

  • any product or service wholly owned by us to which you have lawful access; and
  • any services that are owned by third parties but utilised as part of our services that you have lawful access to.

Under this policy, you must not:

  • disclose vulnerability information publicly until we have finished investigating and fixed or mitigated the vulnerability
  • engage in physical testing of government facilities
  • leverage deceptive techniques, such as social engineering, against AIHW staff
  • perform resource exhaustion attacks, such as a denial-of-service attack that could impact on our services;
  • use automated vulnerability assessment tools
  • introduce malicious software or similar harmful software that could impact our services
  • engage in unlawful or unethical behaviour
  • modify, destroy, exfiltrate, or retain data stored by the AIHW
  • submit false, misleading or dangerous information to AIHW
  • access or attempt to access accounts or data that you are not authorised to.

Please do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
  • theoretical cross-site request forgery and cross-site framing attacks.

How to report a vulnerability

If you think a vulnerability exists, email us at [email protected]

In your email, provide as much information as you can so we can replicate your findings:

  • a description of what the security vulnerability is
  • the products and services that may be affected (where possible)
  • steps to reproduce the vulnerability.

Once you have reported the vulnerability to us, we ask that you also maintain confidentiality. Do not make your research or findings public until we have finished investigating and fixed or mitigated the vulnerability.

What happens next

When you report a vulnerability, we will:

  • respond to you within 5 business days
  • credit you as the person who discovered the vulnerability unless you prefer us not to.

If you have any questions, contact us at [email protected]