Purpose
The security of our systems is important to us. While we try to keep our systems secure, vulnerabilities may still exist.
We embrace working with the security community. We have implemented our Vulnerability Disclosure Program so you can responsibly share your findings with us.
If you discover a potential vulnerability in any of our systems, services or products, tell us as soon as possible. Follow the process at How to disclose a vulnerability.
The purpose of this program is to receive, assess and remediate cyber vulnerabilities. We encourage good-willed security researchers and professionals to report our vulnerabilities. This program is not for general departmental services enquiries, like immigration or visa matters. We will not respond to contact through this process that is not about a potential security vulnerability.
Program scope
Our Vulnerability Disclosure Program covers any:
- product or service owned by us that you have legal access to, and
- product, service and infrastructure we provide to shared service partners that you have legal access to.
Disallowed activities
To ensure the integrity of the program, there are some disallowed research activities. Security researchers and professionals should familiarise themselves with these before starting research.
We have disallowed the following types of research:
- social engineering or phishing
- Denial of Service (DoS) or Distributed DoS (DDoS) attacks
- physical attacks
- attempts to modify or destroy data
- clickjacking
- accessing or attempting to access accounts or data that does not belong to you
- any activity that violates a law
- posting, transmitting, uploading, linking to, or sending any malware
- automated vulnerability scan reports
- leveraging deceptive techniques
- exfiltrating data under any circumstances
- testing third-party websites, applications, or services that integrate with services or products
- disclosure of known public files or directories
- lack of Secure or HTTP Only flags on non-sensitive cookies
- using a known vulnerable library or framework without valid attack scenario.
Do not report vulnerabilities about missing security controls or protections that are not directly exploitable. Examples include:
- weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
- misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
- missing security HTTP (hypertext transfer protocol) headers, for example, permissions policy
- theoretical cross-site request forgery and cross-site framing attacks.
How to disclose a vulnerability
To report a potential security vulnerability email VulnerabilityDisclosure@homeaffairs.gov.au.
Give as much information as you can, including:
- details of the potential security vulnerability
- a list of potentially affected products and services if possible
- steps to reproduce the vulnerability
- proof-of-concept code where applicable
- names of any test accounts you have created if applicable
- your contact details if you choose
- whether you would like public acknowledgement for your contribution in the acknowledgments section of this page. Include the name you want us to use for you.
After you disclose
When you report a vulnerability, we will:
- respond to you within 2 business days
- recognise your contribution to our program if you ask for public acknowledgement.
We will not:
- pay you for reporting
- share your details with any other organisation without your permission.
Acknowledgements
We will publish the names or aliases of people who contribute to our security Vulnerability Disclosure Program below with their permission.
2025
- Yiliyasi Aimaier
- Parth Narula
- Yanuar Yusuf
- Gokuleshwaran BharathKumar
