Our approach to vulnerability disclosure
Service NSW deeply values the positive impact security researchers have on our ability to provide safe and secure services to our customers.
We employ a bug bounty program through our partnership with Bugcrowd, and we gratefully accept any vulnerability disclosure reports.
Our commitment to researchers
• Trust. We maintain complete confidentiality in our professional exchanges with researchers.
• Respect. We treat all researchers with respect and recognise your positive contribution to helping keep our customers safe.
• Transparency. We will openly work with researchers to validate and remediate reported vulnerabilities in accordance with our commitments to security and privacy.
• Common good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
Our ask of researchers
• Trust. We ask that researchers communicate potential vulnerabilities with us in a responsible manner, providing us sufficient time and information to validate and address any potential issues.
• Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate the reported issues.
• Common good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address the reported issues.
We encourage you to submit details of suspected vulnerabilities across any asset owned, controlled, operated or maintained by Service NSW, including public-facing websites under the service.nsw.gov.au domain or the Service NSW mobile application.
Please note that Service NSW cannot accept vulnerability reports on behalf of other NSW Government departments or agencies related to assets owned by other departments or agencies.
The Service NSW Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We will keep you informed throughout the process.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.