Our vulnerability disclosure program helps us to improve the security of the Tribunal’s products and services. The program provides a way for security researchers and other parties to notify us if they have found a potential security vulnerability on our website. 

What types of vulnerabilities can I report? 

The vulnerability disclosure program covers security vulnerabilities relating to any product, system or service that belongs to the Tribunal, which you are authorised to use and/or have lawful access to. Do not report security vulnerabilities relating to weak or absent security controls or protections, such as:

• weak, insecure or misconfigured SSL or TLS certificates
• misconfigured DNS records such as SPF and DMARC
• missing security HTTP headers (e.g. permissions policy)
• theoretical cross-site request forgery and cross-site framing attacks. 

However, if you have evidence to suggest that one of the above can be chained with other vulnerabilities to affect the confidentiality, integrity, or availability of Tribunal systems, we encourage you to report this. 

How do I report a vulnerability? 

To report a potential security vulnerability relating to a Tribunal product, system or service, email the details to vulnerabilitydisclosure@art.gov.au with enough detail to reproduce the steps taken to find the vulnerability. We request that you do not publicly disclose any security vulnerabilities until we have discussed an appropriate way to do this with you. 

What will happen next? 

When you report a vulnerability, we will:

• respond to you to confirm that we have received your email
• keep you informed of our progress in verifying your disclosure and
• discuss any dates and processes for public disclosure, where appropriate. 

We will not: 

• financially compensate you for any reporting
• publicly credit you on our website or
• share your personal details with any other organisations without your permission.