Vulnerability Disclosure Policy

The security of South Australian (SA) Government digital systems is a priority and while we take every measure to keep them secure, there may still be vulnerabilities.

The SA Government encourages individuals, including security researchers and security professionals, to identify and report security vulnerabilities on government digital services including websites, applications and supporting ICT infrastructure, in line with its Vulnerability Disclosure Policy.

If you think you have found a potential vulnerability in a SA Government digital system, service or product, please tell us as quickly as possible.

The SA Government does not provide compensation for finding potential or confirmed vulnerabilities, nor do we publish the names or details of researchers that report vulnerabilities.

SA Government Vulnerability Disclosure Policy.

Guidelines for testing

Once you have established that a vulnerability exists, or encounter any sensitive data including personal information, financial information, or other confidential information, you must stop your test, notify us immediately, and not disclose this data to anyone else.

Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction or manipulation of data.

Comply with all applicable state and federal laws.

Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

The following test methods are not permitted:

  • network denial of service (DoS or DDoS) tests or other tests that impair access to, or damage, a system or data
  • physical testing (e.g. office access, open doors, tailgating)
  • social engineering (e.g. phishing, vishing)
  • clickjacking
  • attempts to modify or destroy data
  • any other non-technical vulnerability testing.

How to report a vulnerability

To report a security vulnerability, submit a report through the address listed under Contact in the security.txt file associated with the digital service the vulnerability was discovered on.

If there is no security.txt file, then report it via email to watchdesk@sa.gov.au.

When you report a vulnerability, do so in a timely manner, keep it confidential and do not make your research public. Please allow a reasonable amount of time to fix or mitigate the vulnerability.

What happens next

The SA Government will respond to your report to:

  • acknowledge your report has been received
  • advise you of any remediation steps we are undertaking
  • seek further information if needed to verify the vulnerability
  • advise you when the vulnerability has been rectified