Linkage Projects 2020 Round 3 Announcement Banner

Security Vulnerability Disclosure Policy

[TOC]

About this policy

The policy does not authorise you to conduct security testing against ARC ICT systems but provides an avenue for you to notify the ARC of any vulnerabilities you have found. Once we have been notified of a vulnerability, we can test and verify it and, if it is determined to be a real vulnerability, we can acknowledge your contribution.

As an Australian Government agency, the ARC cannot provide financial compensation for the discovery of potential or confirmed vulnerabilities. However, we can recognise your contribution by publishing your name (or alias) on this webpage.

What this policy covers

This policy covers:

  • any product or service operated by the ARC to which you have lawful access

Under this policy, you must not:

  • disclose vulnerability information publicly
  • engage in physical testing of government facilities
  • leverage deceptive techniques, such as social engineering, against ARC employees, contractors, or any other party
  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
  • leverage automated vulnerability assessment tools
  • introduce malicious software or similar harmful software that could impact our services, products or customers or any other party
  • engage in unlawful or unethical behaviour
  • reverse engineer ARC products or systems
  • modify, destroy, exfiltrate, or retain data stored by the ARC
  • submit false, misleading, or dangerous information to ARC systems
  • access or attempt to access accounts or data that does not belong to you.

This policy does not authorise individuals or groups to undertake hacking or penetration testing against ARC ICT systems. 
This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

Please do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • weak, insecure, or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
  • theoretical cross-site request forgery and cross-site framing attacks.

What information we will collect

To report a potential security vulnerability, please send as much information as possible to VulnerabilityDisclosure@arc.gov.au, including:

  • an explanation of the potential security vulnerability
  • a listing of the products and services that may be affected (where possible)
  • steps to reproduce the vulnerability
  • proof-of-concept code (where applicable)
  • names of any test accounts you may have created (where applicable)
  • your contact details (and whether you wish to be publicly acknowledged)

The ARC may need to contact you for more information to address the vulnerability. We will handle all reports confidentially, in line with the ARC privacy policy.

The ARC asks that you maintain confidentiality and not publicly share details of any potential security vulnerabilities without the ARC’s written consent or until the ARC has mitigated the vulnerability.

How we will use the technical information we collect

When a vulnerability is disclosed to the ARC, we will:

  • analyse and evaluate the vulnerability to determine its validity and level of risk
  • remove or mitigate the vulnerability if deemed to be valid.

What we will do with the personal information we collect

When a vulnerability is disclosed to the ARC, we will:

  • Initially respond to you within 2 business days
  • keep you informed of our progress
  • credit you as the person who discovered a vulnerability, unless you would prefer us not to.

We will not:

  • provide any financial compensation for the disclosure
  • share your details with any other organisation, without your permission.

If you have any questions, contact us at VulnerabilityDisclosure@arc.gov.au

People who have disclosed vulnerabilities to the ARC

The names or aliases of people who have contributed to our security vulnerability disclosure program, published with their permission and shown below:

  • Sahaj Gautam
  • Parth Narula
  • Nikhil Rane
  • Jayden Newstead
  • Swapnil Ade