Vulnerability Disclosure Policy
This policy gives security researchers a point of contact to submit their findings if they believe they have found a potential security vulnerability within an ONI web service.
About the Policy
The Office of National Intelligence takes the security of its systems seriously and we encourage responsible reporting of security vulnerabilities as soon as possible. If you believe you have found a potential vulnerability, please report it directly to us via the form at bottom of this page.
Reports of potential or confirmed vulnerabilities cannot be compensated of publicly credited.
Security research within scope of this policy
This policy is limited to web services wholly owned by ONI to which you have lawful access.
Security research out of scope of this policy:
This policy does not cover:
- Physical attacks or tests against ONI, its employees or property belonging to ONI or its employees
- Social engineering or phishing
- Clickjacking
- Denial of service or brute force testing
- Weak or insecure TLS/SSL ciphers or certificates
- Misconfigured DNS records (including for example SPF and DMARC)
- Attempts to modify, exfiltrate or destroy data
- Access or attempt to access accounts or data that does not belong to you
- Use of automated vulnerability assessment tools
- Submitting false or dangerous information or data to ONI systems, including malware
- Actions that violate Australian law.
How to report a vulnerability
Please complete the form on this page, with enough detail that we can replicate the issue. If we require additional information, we may contact you using the details you provide on the form.
When you choose to share your contact details with us, we will:
- Respond to you within five business days, acknowledging that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability.
- Maintain an open dialogue to discuss issues on our progress and be as transparent as possible about the remediation process.