On this page
About this policy
This policy provides security researchers who find a potential security vulnerability within the systems, services or products of the Australian Competition and Consumer Commission (the agency or ACCC) clear guidelines and a point of contact to report your research findings.
The security of our systems and the data we hold is a critical priority for the agency. We take every effort to keep our ICT systems secure. Despite our efforts, there may still be vulnerabilities.
This policy allows security researchers to responsibly share their findings with the ACCC. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, you can report the vulnerability to us.
What this policy covers
Products or services wholly owned by the agency to which you have lawful access.
What this policy doesn’t cover
- Clickjacking
- Social engineering or phishing
- Weak or insecure SSL ciphers and certificates
- Denial of service (DoS or DDoS) attacks
- Posting, transmitting, uploading, linking to, or sending any malware
- Physical attacks
- Attempts to modify or destroy data
- Attempts to extract or exfiltrate sensitive data
- Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
Responsible security research
We allow responsible security research on our products and services to which you have authorised access.
Any responsible security research on our products and services must be done under Australian law. It must not compromise or exploit the ACCC’s data, employees, infrastructure, operations, and activities.
The agency will act in good faith with parties who report potential security vulnerabilities. We will address each issue in promptly.
To encourage responsible reporting, we will not take legal action against security researchers who find and report a potential security vulnerability.
Report a security vulnerability
You can responsibly report potential security vulnerabilities to the ACCC information security team by emailing vulnerabilitydisclosure@accc.gov.au.
Provide detailed information of the potential security vulnerability to allow the security team to reproduce your steps. Please include:
- an explanation of the potential security vulnerability
- a list of products and services that may be affected
- steps to reproduce the vulnerability
- proof-of-concept code (where applicable)
- your contact information.
After you make a report
We will confirm receipt of your report and outline any remedial action we propose to take to address the security vulnerability.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential. This includes details of the potential security vulnerability as well as the identity of all researchers reporting it.
We ask that you maintain confidentiality until we have remediated or mitigated the potential security vulnerability. Public disclosure of any potential security vulnerability is not permitted without our express written consent.
As an Australian Government agency, we can’t compensate individuals or organisations for finding potential or confirmed security vulnerabilities.