We have implemented a Cyber Disclosure Program; a collection of processes and procedures designed to identify, verify, resolve, and report on vulnerabilities disclosed by people who may be internal or external to our organisation. The program, which aligns with the State ºÚÁÏÕýÄÜÁ¿â€™s Cyber Security Policy, will improve our cyber security posture and assist in risk mitigation.
The Department encourages researchers to report potential vulnerabilities. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorised. We will work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research.
For further details, please refer to our Cyber disclosure policy which provides guidelines for security researchers on how to report vulnerabilities and what to expect in return from the Department. It describes:
- what systems and types of research are (and are not) authorised and in-scope for testing under the program;
- the principles and guidelines under which the policy applies;
- a definition of ‘research’ and reporting requirements;
- how to report any identified cyber vulnerabilities; and
- what can be expected from us in response to a report.
View the Cyber disclosure policy
Reporting a vulnerability
To report a cyber vulnerability, please use our online form below. To expedite the triaging and prioritisation of submissions, your report should:
- describe where the vulnerability was discovered and the potential impact of exploitation; and
- include enough detail so we can reproduce your steps. Screenshots and proof of concept code are helpful.
Please note that we can only accept reports for systems that are in scope of our Cyber Disclosure Policy.
What happens next
We will coordinate with you as openly and as quickly as possible during the remediation of any identified vulnerabilities. We will:
- acknowledge the receipt of your report within five business days;
- keep you informed throughout our internal investigation and remediation and resolution (if required) of the identified vulnerability;
- agree on a date for public disclosure; and
- credit you as the person who discovered the vulnerability (unless you prefer to remain anonymous).
Persons who have reported vulnerabilities
In line with WA ºÚÁÏÕýÄÜÁ¿ practice, details of persons reporting cyber vulnerabilities will be published on this page unless they have requested to remain anonymous.