This policy is intended to give security researchers clear guidelines and a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within the NDIS Quality and Safeguards Commission (NDIS Commission).
About this policy
The security of our systems and the data we hold is a critical priority for the NDIS Commission. We take every effort to keep our Information and Communication Technology (ICT) systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to responsibly share their findings with the NDIS Commission. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please advise the commission as quickly as possible.
What this policy covers
- Products or services wholly owned by the commission to which you have lawful access
This policy does not cover:
- Clickjacking
- Social engineering or phishing
- Weak or insecure SSL ciphers and certificates
- Denial of service (DoS or DDoS) attacks
- Posting, transmitting, uploading, linking to, or sending any malware
- Physical attacks
- Attempts to modify or destroy data
- Attempts to extract or exfiltrate sensitive data
- Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
Authorisation
This policy does not authorise individuals or groups to undertake hacking or penetration testing against the NDIS Commission ICT systems. This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
How to report a vulnerability
To report a potential security vulnerability, send details to ictvulnerabilitydisclosure@ndiscommission.gov.au. Provide as much information as possible, including:
- An explanation of the potential security vulnerability
- List products and services that may be affected (where possible)
- Steps to reproduce the vulnerability
- Proof-of-concept code (where applicable)
- Your name (or alias) and contact details.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until the NDIS Commission has finished investigating, fixed or mitigated the vulnerability.
What happens next
The NDIS Commission’s cyber security is delivered by Services Australia. All vulnerabilities reported to the NDIS Commission under this policy will be forwarded to Services Australia who may contact you if more information if required.
When you report a vulnerability, the NDIS Commission will:
- acknowledge your report has been received
- forward your report to Services Australia
- work with Services Australia to keep you informed of progress
- with your permission, recognise you by publishing your name or alias to our program.
The NDIS Commission will only use or disclose personal information you provide with your report for the purposes of identifying and remedying potential security vulnerabilities.
The NDIS Commission will not share your details with any organisation other than Services Australia without your permission.
If you do not provide your name (or alias) and contact details, the NDIS Commission and Services Australia will still investigate your report, but will not be able to recognise you or contact you if we have any queries about your report.
The NDIS Commission’s Privacy Policy contains more information about how we handle personal information, including how we collect, use, hold and disclose information. It also sets out how you can access or seek correction of your personal information, and how to make a complaint about a breach of the Australian Privacy Principles, set out in the Privacy Act 1988 (Cth).
If you have any concerns or questions, you can contact us at contactcentre@ndiscommission.gov.au. As an Australian Government agency, we cannot compensate you for finding potential or confirmed vulnerabilities.
People who have disclosed vulnerabilities
Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:
- Parth Narula
- Adrian Tirado Garcia