Security vulnerability disclosure

This policy gives a person a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within ICT systems operated by the Australian Bureau of Statistics.

About this policy

The security of our systems and the data we hold is a critical priority for the ABS. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to share their findings with us in good faith. If you think you have found a potential vulnerability in one of our ICT systems, services or products, please tell us as quickly as possible.
We will not compensate you for finding potential or confirmed vulnerabilities. If you have not exploited the vulnerability or prematurely disclosed its possible existence, ABS will not take any legal action against you.

What this policy covers

This policy covers:
•    any product or service operated by the ABS to which you have lawful access

This policy does not cover:
•    clickjacking
•    social engineering or phishing
•    weak or insecure SSL ciphers and certificates
•    denial of service (DoS or DDoS) attacks
•    posting, transmitting, uploading, linking to, or sending any malware
•    physical attacks
•    attempts to modify or destroy data
•    attempts to extract or exfiltrate sensitive data

This policy does not authorise individuals or groups to undertake hacking or penetration testing against ABS ICT systems. 
This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

How to report a vulnerability

To report a vulnerability, email VulnerabilityDisclosure@abs.gov.au.
Include enough detail so we can reproduce your steps.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability. Otherwise, ABS may take legal action.

What happens next

We will:
•    respond to your report within 5 business days
•    keep you informed of our progress
•    agree upon a date for public disclosure
•    with your consent credit you as the person who discovered the vulnerability

People who have disclosed vulnerabilities to us

Below are disclosed vulnerabilities, a name or alias is included if consent has been received from the person/s who have identified it:
•    none recorded at this time