Vulnerability Disclosure Policy

Policy
This policy aims to safeguard the people of Western Australia by securing their information, and it provides guidelines for security researchers on how to report vulnerabilities and what to expect in return from the Office of Digital Government (DGov).
Last updated:

About this policy

We are committed to ensuring the security of the Western Australian public by protecting your information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preference in how to submit any discovered vulnerabilities.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and what you can expect from us.

If you make a good faith effort to comply with this policy during your security research, we will not take any legal action against you.

We will not compensate you for finding potential or confirmed vulnerabilities.

What this policy covers

In Scope:

This policy applies to the following systems and services:  

  • The main WA.gov.au website (www.wa.gov.au)
    • OUT OF SCOPE: Websites hosted on other wa.gov.au subdomains are not in scope and not authorised for testing.
  • digital.wa.gov.au, excluding subdomains listed below:
    • OUT OF SCOPE: forms.digital.wa.gov.au
  • The ServiceWA mobile application, available at Apple playstore and Google play store

Out of Scope:

Systems not listed above, including any third-party services or integrations, are excluded from scope, and not authorized for testing. If you aren’t sure whether a system is in scope, please contact DGov at VulnerabilityDisclosure@dpc.wa.gov.au to discuss.

The following activities are out of scope and not permitted against any system:

  • Denial of service (DoS/DDoS) and spam
  • Social engineering (e.g. phishing) against DGov staff
  • Physical access attacks (e.g. attempting to access buildings).
  • Uploading malware, backdoors, webshells, or other “weaponized” exploits that could degrade system security or affect other users.
  • Attempts to access or manipulate accounts that do not belong to you (e.g. resetting passwords for other users).
  • Any attempts to modify or destroy data.

In general, low severity issues without a direct security impact (weak SSL cipher suites, missing HTTP security headers, SPF/DKIM/DMARC misconfiguration, etc) will not be considered in scope.

How to report a vulnerability

To report a vulnerability, please submit all reports to VulnerabilityDisclosure@dpc.wa.gov.au

To expedite the triaging and prioritisation of submission, your reports should:

  • Describe where the vulnerability was discovered and the potential impact of exploitation.
  • Include enough detail so we can reproduce your steps. Screenshots and proof of concept code are helpful.

What happens next

We will coordinate with you as openly and as quickly as possible during the remediation of any identified vulnerabilities.

We will:

  • Respond to your report within 5 business days.
  • Keep you informed throughout DGov’s internal investigation and remediation (if required) of the identified vulnerability.
  • Agree on a date for public disclosure.
  • Credit you as the person who discovered the vulnerability unless you prefer to remain anonymous.

People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • Parth Narula
  • Adam Jon Foster (evildaemond)
  • xitzhacks

Published

11 August 2023

Contact