The security of our systems and the data we hold is a critical priority for the NDIS Commission. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy is intended to give security researchers clear guidelines and a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within the NDIS Quality and Safeguards Commission (The NDIS Commission).
If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please tell us as quickly as possible.
Policy review date: July 2024
Introduction
The security of our systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.
The NDIS Commission welcomes feedback from security researchers and the general public to help improve our security If you think you have found a potential vulnerability in one of our systems, services or products, please report it to us as quickly as possible. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
As an Australian Government agency we can’t compensate you for finding vulnerabilities, however, we can recognise you by publishing your name or alias on this page.
Reporting a vulnerability
To report a vulnerability, email us with enough detail so we can reproduce your steps.
Include in your report:
- the service and URL of the page where you found the vulnerability
- a description of the type of vulnerability
- details of the steps we need to take to reproduce the vulnerability
- any code required to reproduce
- screenshots or logs if you have them.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
Systems in scope
This policy applies to any digital assets owned, operated or maintained by the NDIS Commission.
Out of scope
Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Guidelines for reporting a vulnerability
When you are investigating and reporting a vulnerability, you must not:
- undertake any activity that violates any law
- exfiltrate data under any circumstances.
- access unnecessary or excessive amounts of data
- attempt to modify or destroy data
- use high-intensity or destructive scanning tools
- try a denial of service or availability attack
- disrupt any NDIS Commission systems or services
- social engineer, phish or physically attack our staff or infrastructure.
After you report a vulnerability
The NDIS Commission cyber security is delivered by Services Australia. All vulnerabilities reported to the NDIS Commission under this policy will be forwarded to Services Australia who may contact you if more information is required.
Next Steps
We will:
- acknowledge receipt of your report
- forward your report to Services Australia
- work with Services Australia to keep you informed of progress
- tell you when public disclosure can occur (if the reported vulnerability is verified)
- credit you as the person who discovered the vulnerability unless you prefer us not to.
People who have disclosed vulnerabilities
The names or aliases of people who contribute to our security vulnerability disclosure program will be published with their permission and shown below:
- Parth Narula
- Adrian Tirado Garcia