Vulnerability disclosure policy

ICT Security Governance

Main content

About this policy

Protecting your information is our top priority. At Austrade, we strive to make our products and services safe and secure, but despite our best efforts, they may still be vulnerable.

The purpose of this policy is to enable security researchers and others to share their vulnerability findings with us. If you think you have found a potential vulnerability in an Austrade ICT product or service, please let us know as soon as possible.

As a government agency, we cannot compensate you for finding security vulnerabilities, whether potential or confirmed, nor will we publish the names or details of anyone who reports them to us. But you can be assured that your contribution to the public good is immensely appreciated.

What this policy covers

This policy covers information and communications technology (ICT) products or services owned or operated by the Australian Trade and Investment Commission (Austrade) to which you have lawful access.

This policy does NOT cover or authorise:

  • clickjacking
  • social engineering or phishing
  • weak or insecure SSL ciphers and certificates
  • denial of service (DoS), distributed denial of service (DDoS) or other resource exhaustion attacks
  • posting, transmitting, uploading, linking to, or sending any malware
  • physical attacks
  • attempts to modify, extract, exfiltrate or destroy data
  • any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.


This policy does not authorise individuals or groups to undertake hacking or penetration testing against Austrade ICT systems or to engage in any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.

How to report a vulnerability

To report a security vulnerability, please use the vulnerability disclosure form on the Austrade website. Provide enough detail so that we can reproduce your steps and confirm the vulnerability. Where feasible, please provide the following information:

  • name of the product or service containing the vulnerability
  • details of the system or environment in which the issue was reproduced (browser, operating system etc.)
  • step-by-step instructions to reproduce the vulnerability
  • proof-of-concept or exploit code (if applicable)
  • potential impact of the vulnerability (if known).

Please keep your findings confidential. Do not make your research public until we have fixed or mitigated the vulnerability and agreed upon a disclosure date.

What happens next

  • respond to your report within 5 business days
  • keep you informed of our progress
  • agree with you upon a date for public disclosure.