Vulnerability Disclosure

Vulnerability Disclosure Policy (VDP)

The Department of Parliamentary Services (DPS) provides cyber security services to Australian Parliament network users and considers the security of the systems it manages as a key strategic priority. DPS acknowledges that vulnerabilities may exist, and members of the public security community may identify these vulnerabilities. DPS strives to continuously improve the cyber security risk posture and invites you to report any vulnerability you may find. Every report will be taken seriously and assists us to implement appropriate mitigation steps and address the risk the vulnerability may pose, decreasing the chance of exploitation of any vulnerability by malicious attackers.

How to Report a Vulnerability

If you believe you have identified a vulnerability in a DPS or APH system, service, or product please complete this form: Report Security Vulnerability (aph.gov.au)

The form will require the following information:

  • Your name or alias
  • Your contact details, and
  • Details of the vulnerability.

Terms and Conditions of Conducting Vulnerability Research

DPS allows vulnerability research and testing on DPS managed systems, services, and products that are publicly accessible, that members of the public have lawful access to.

The actions mentioned under the Prohibited Actions of this Policy must not be undertaken when conducting vulnerability research.

DPS does not allow security testing against internally managed systems, services, and products.

Allowed Actions

In accordance with this Policy, the following activities/actions are permitted:

  • Vulnerability research and testing on any system, service, or product that is wholly owned by DPS or owned by third parties that you have lawful access to
  • Vulnerability research and testing on any system, service, or product that you have lawful access to, and
  • Domains which vulnerability research and testing can be conducted on using DPS products, services, and systems are restricted to aph.gov.au.

Prohibited Actions

In accordance with this Policythe following activities/actions are prohibited:

  • Public disclosure of vulnerability information, files or directories
  • Engaging in social engineering or phishing attempts
  • Executing Denial of Service (DOS), Distributed Denial of Service (DDOS) attacks, or availability/resource targeted attacks
  • Leveraging vulnerability reports or vulnerability scan reports
  • Introducing malicious or similar harmful software
  • Reverse modifying, modifying, exfiltration or destruction of data
  • Accessing or attempting to access accounts that do not belong to you, and
  • Any other unlawful act, or act that violates the terms and conditions of a product or service.

Do Not Report

Please do not report potential security vulnerabilities that are related to missing controls or protections, such as:

  • Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates/ciphers
  • Domain Name System (DNS) records, and
  • Missing Hypertext Transfer Protocol (HTTPS) headers/flags.

Next Steps

DPS Cyber Security will review all vulnerabilities that are reported and may contact the vulnerability reporter for more information.

Following the vulnerability being reported, DPS will:

  • Acknowledge the vulnerability report has been received
  • Assess the existence of the vulnerability, and
  • If appropriate, obtain permission to recognise the vulnerability reporter by publishing their name or alias on this page.

DPS is a Commonwealth Entity, and as an Australian Government agency is unable to compensate or reward vulnerability reporters for the discovery and submission of vulnerabilities. With the vulnerability reporter’s permission, DPS can provide a congratulatory certificate and/or mention (your name or alias) on this VDP page.

Privacy

DPS will not disclose personal details or information with any other entity or organisation unless permission has been obtained to do so.

Please Note: where the vulnerability reporter does not provide their name/alias, or contact details with the report, DPS will not be able to recognise the contribution.

The APH Privacy Policy contains more information regarding the management of personal information in conjunction with the Privacy Act 1988 (Cth).

Vulnerability Disclosures

The below names or aliases are members of the public security community that have contributed to the cyber security of Australian Parliament House: