Vulnerability Disclosure Policy

This policy gives security researchers a point of contact to submit their findings if they believe they have found a potential security vulnerability within an ONI web service.

About the Policy

The Office of National Intelligence takes the security of its systems seriously and we encourage responsible reporting of security vulnerabilities as soon as possible. If you believe you have found a potential vulnerability, please report it directly to us via the form at bottom of this page.

Reports of potential or confirmed vulnerabilities cannon be compensated of publicly credited.

Security research within scope of this policy

This policy is limited to web services wholly owned by ONI to which you have lawful access.

Security research out of scope of this policy:

This policy does not cover:

  • Physical attacks or tests against ONI, its employees or property belonging to ONI or its employees
  • Social engineering or phishing
  • Clickjacking
  • Denial of service or brute force testing
  • Weak or insecure TLS/SSL ciphers or certificates
  • Misconfigured DNS records (including for example SPF and DMARC)
  • Attempts to modify, exfiltrate or destroy data
  • Access or attempt to access accounts or data that does not belong to you
  • Use of automated vulnerability assessment tools
  • Submitting false or dangerous information or data to ONI systems, including malware
  • Actions that violate Australian law.

How to report a vulnerability

Please complete the form on this page, with enough detail that we can replicate the issue. If we require additional information, we may contact you using the details you provide on the form.

When you choose to share your contact details with us, we will:

  • Respond to you within five business days, acknowledging that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability.
  • Maintain an open dialogue to discuss issues on our progress and be as transparent as possible about the remediation process.

Report a security vulnerability

Please complete this form, with enough detail that we can replicate the issue. If we require additional information, we may contact you using the details you provide on the form.

Please describe the vulnerability in sufficient detail. You may describe multiple vulnerabilities here rather than submitting multiple forms.

Explain access or other conditions necessary to attack, steps to reproduce.

When you choose to share your contact details with us, we will: 

  • Respond to you within five business days, acknowledging that your report has been received.

  • To the best of our ability, we will confirm the existence of the vulnerability.

  • Maintain an open dialogue to discuss issues on our progress and be as transparent as possible about the remediation process. 

CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
Help safeguard Australia and shape the future of intelligence.