About this Policy

This policy provides a process for users of AEC Information and Communications Technology (ICT) systems, services or products to responsibly share their associated vulnerability findings with us. If you think you have found a potential vulnerability in one of our ICT systems, services, or products, please tell us as quickly as possible.

The security of AEC ICT systems, services and products, as well as the data the AEC holds, is a priority for the AEC. The AEC takes every effort to keep AEC ICT systems, services and products secure.

Scope

This policy applies to any ICT systems, services or products you lawfully access.

Prohibited Activities

AEC ICT systems, services and products may be examined. This policy does not authorise individuals or groups to undertake ‘hacking’ or penetration testing against AEC ICT systems, services or products.

When using or examining AEC ICT systems, services or products, the following activities are also strictly prohibited:

• Clickjacking.
• Social engineering or phishing.
• Denial of Service (DoS or DDoS) attacks.
• Posting, transmitting, uploading, linking to, or sending any malware.
• Physical attacks.
• Attempts to modify or destroy data.
• Attempts to extract or exfiltrate sensitive data.
• Submitting false, misleading or dangerous information to the AEC and its ICT systems.
• Any other action that is unlawful or contrary to legally enforceable terms and conditions for using an AEC ICT system, service or product.

Compensation

The AEC will not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities.

How to report a vulnerability

Please email VulnerabilityDisclosure[@]aec.gov.au with sufficient detail that we are able to replicate and validate the vulnerability.

The AEC operates its VDP under the responsible disclosure method and ask that you do not disclose the vulnerability until we have had enough time to remediate it.

When reporting a vulnerability, you are encouraged to provide:

• an explanation of the potential security vulnerability, including details of any exploit with enough information to enable our security team to reproduce it.
• a list of products and services that may be affected.
• proof-of-concept evidence and details.
• .txt and images are accepted file formats.
• Any .exe, code files, or other potentially malicious content types will be blocked by the AEC’s email gateway.
• your contact details for further communication.

We will:

• Acknowledge your report within five (5) business days.
• Keep you informed, on request, of our progress.
• Agree upon a date for your public disclosure, if applicable.

If you identify security vulnerabilities relating to unimplemented security configuration or protections that are not directly exploitable, we may not respond to your submission. Examples include but are not limited to:

• Weak, insecure or misconfigured SSL (Secure Sockets Layers) or TLS (Transport Layer Security) certificates.
• Misconfigured DNS (Domain Name Systems) records including, but not limited to SPF (Sender Policy Framework) and DMARC (Domain-based message authentication, reporting and compliance).
• Missing security HTTP (Hypertext Transfer Protocol) headers (for example, permissions policy).
• Theoretical cross-site request forgery and cross-site framing attacks.

The AEC’s Privacy Policy details the standards, rights and obligations on how we handle and maintain personal information. We may collect, hold, use and disclose personal information to carry out our functions or activities in compliance with the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs) found in the Privacy Act.