Vulnerability Disclosure Statement
This statement gives a person a point of contact to directly submit their findings if they believe they have found a potential security vulnerability within digital systems operated by the ASQA.
About our Vulnerability Disclosure Policy
Digital system security is important to us. Our security approach strives to keep these systems secure, however there maybe vulnerabilities which have not been discovered.
As such, it is important for us to have this mechanism in place to make reporting a security vulnerability quick and easy. Once a security vulnerability has been disclosed, it can provide us with the information required to shape appropriate mitigation steps and help us understand and address the risk that security vulnerability may pose to our staff and end users of our digital systems.
To assist us in maintaining secure systems, we encourage the community to engage with us. To enable this collaboration, we have implemented a digital systems vulnerability disclosure policy to allow the community to share findings with us.
What Vulnerability Disclosure Policy covers
The policy covers:
- any product or service operated by ASQA in which the person has lawful access to
- any third party owned services used by ASQA which the person has lawful access to.
What the policy does not cover:
- social engineering or phishing
- weak or insecure SSL ciphers and certificates
- denial of service (DoS or DDoS) attacks
- posting, transmitting, uploading, linking to, or sending any malware
- physical attacks
- attempts to modify or destroy data
- attempts to extract or exfiltrate sensitive data.
This policy does not authorise individuals or groups to undertake hacking or penetration testing against ASQA digital systems. This policy does not cover any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
How to report a digital systems vulnerability
If you have identified a vulnerability with our digital systems, please report it to us as quickly as possible via email, including enough detail so we can reproduce your steps.
As an Australian Government agency, we are unable to compensate you for the discovery of a vulnerability or confirming a vulnerability.
Our policy does not authorise security testing to be conducted against ASQA. If you believe there is a vulnerability, please report it to us so we can test and verify.
If you report a vulnerability under this policy, we request you keep it confidential and not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
To report a suspected vulnerability in our digital systems please contact: VulnerabilityDisclosure@asqa.gov.au
Please provide as much detail as possible, including:
- details of the potential vulnerability
- the product/service which may be impacted
- your contact details.
What happens next
- respond to your report within 5 business days
- keep you informed of our progress
- agree upon a date for public disclosure
- with your consent credit you as the person who discovered the vulnerability.
People who have disclosed digital systems vulnerabilities to us
Below are names or aliases of people who have identified and disclosed vulnerabilities to us:
(Note: the names and aliases of the people listed consented to their name or alias being published)
- none recorded at this time