This policy is intended to give clear guidelines for conducting, evaluating and acting if they have found a potential security vulnerability within the information technology systems.
The following activities are not permitted against any system:
- denial of service (DoS/DDos) and spam
- social engineering (e.g. phishing) against our Department staff
- physical access attacks (e.g. attempting to access buildings)
- uploading malware, backdoors, webshells, or other ‘weaponised’ exploits that could degrade system security of affect other users
- attempt to access or manipulate accounts that do not belong to you (e.g. resetting passwords for other users)
- any attempt to modify or destroy data.
How to report a vulnerability
To report a vulnerability, please submit all reports to VulnerabilityDisclosure@dpird.wa.gov.au
To help address the issue as quickly as possible, your reports should:
- describe where the vulnerability was discovered and the potential impact of exploitation
- include enough detail so we can reproduce your steps. Screenshots and proof of concept code are helpful.
What happens next
We will:
- respond to your report within 5 business days
- keep you informed throughout our internal investigation and remediation (if required) of the identified vulnerability
- agree on a date for public disclosure
- credit you as the person who discovered the vulnerability (unless you prefer to remain anonymous).