Vulnerability Disclosure Program

The security of our systems is very important to us. While we make every effort to keep our systems secure, vulnerabilities may still exist.

Working with the security community is something we embrace. We have implemented our Vulnerability Disclosure Program to let you responsibly share your findings with us.

The purpose of this program is to receive, assess and remediate cyber vulnerabilities. We encourage good-willed security researchers and professionals to report our vulnerabilities to us. This program is not intended for general Agency services enquiries. We will not respond to any contact through this process that is unrelated to a potential security vulnerability.

If you discover a potential vulnerability in any of our systems, services or products, notify us as soon as possible. To notify us, follow the process outlined below. 

Program Scope

Our Vulnerability Disclosure Program covers any:

• Product or service owned by us to which you have legal access, and
• Product, service and infrastructure we provide to shared service partners to which you have legal access.

Disallowed Activities

To ensure the integrity of the program, there are several research activities that are disallowed under this Program. We encourage security researchers and professionals to familiarise themselves with the following list before commencing any research.

The following types of research are disallowed:

• Social engineering or phishing
• Denial of Service (DoS) or Distributed DoS (DDoS) attacks
• Physical attacks
• Attempts to modify or destroy data
• Clickjacking
• Accessing or attempting to access accounts or data that does not belong to you
• Any activity that violates any law
• Posting, transmitting, uploading, linking to, or sending any malware
• Automated vulnerability scan reports
• Leverage deceptive techniques
• Exfiltrating any data under any circumstances
• Testing third-party websites, applications, or services that integrate with services or products
• Disclosure of known public files or directories
• Lack of Secure or HTTP Only flags on non-sensitive cookies
• Usage of a known vulnerable library or framework without valid attack scenario

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

• Weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
• Misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
• Missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy), and
• Theoretical cross-site request forgery and cross-site framing attacks​

How to disclose a vulnerability

To report a potential security vulnerability email security@blood.gov.au

Make sure you include as much information as possible:

• Details of the potential security vulnerability
• List of potentially affected products and services (where possible)
• Steps to reproduce the vulnerability
• Proof-of-concept code (where applicable)
• Names of any test accounts you have created (where applicable)
• Your contact details (if you choose), and
• Whether you would like public acknowledgement for your contribution (under the acknowledgments section of this webpage), and the name you would like to be acknowledged under.

Post-Disclosure Process

When you report a vulnerability, we will:

• Respond to you within 2 business days, and
• Recognise your contribution to our program by publishing your name or alias on our public website if you indicate you would like public acknowledgement.

We will not:

• Financially compensate you for reporting, or
• Share your details with any other organisation, without your permission.