Coordinated Vulnerability Disclosure

The security of the .auCheck website is very important. Despite the care we have taken to ensure security, an existing vulnerability may be found or a new one may arise.

Have you found a security flaw in the .auCheck website, then please read this policy carefully. It describes our actions and your responsibilities.

Situation

You may have accidentally run across a weakness in our website by using it for its intended purposes, or perhaps you have been actively trying to find a vulnerability. In either case, it is important that you contact us as soon as possible.

By all means, this is not an invitation to extensively scan and test our site for weaknesses. We are doing this ourselves.

If you think you've found a weakness, we would like to work with you to remedy the situation and improve the security of our website.

We will always take notifications seriously and will look into suspected vulnerabilities.

Your responsibilities

Upon fiding a potential secuirty vulnerability, we ask you to take the next steps:

  1. send an email with your findings to [email protected] as soon as possible; make sure you provide sufficient information to replicate the problem, so we can fix it as soon as possible;

  2. do not run tests that may compromise anyone's physical security, involved social engineering or affect third-party applications;

  3. do not run brute force or denial of service attacks and don't exploit the vulnerability to, for example, change or delete data, or install malware;

  4. refrain from sharing the vulnerability with others until we have assessed and fixed it;

  5. do not copy data from our systems, other than what is absolutely necessary to demonstrate the vulnerability;

  6. Please leave your contact data (e-mail address and phone number), so we can get in touch and work with you to fix the problem.

Our commitment

In return we commit to the following steps:

  1. to acknowledge receipt of your report within 72 hours, and to respond within five working days with our evaluation of your reported issue and an expected date for a solution;

  2. to treat your report confidentially: we will not share your personal information without your consent, unless there's a legal requirement;

  3. to keep you informed of our progress in solving the problem;

  4. to include your name as the discoverer of a vulnerability in any news reports, if you wish;

  5. that an accidental discovery of a vulnerability will not lead to legal actions unless we've found a breach of the steps under 'we ask you to' or did not act in the spirit of responsible disclosure.

More information?

Do you want to know more about policies and practices of coordinated vulnerability disclosure?

  • The Global Forum on Cyber Expertise has developed this global good practices document
  • Guidelines by the Australian Cyber Security Centre can be found in this guidance document.