Vulnerability disclosure policy

Our vulnerability disclosure policy provides guidance for security researchers and professionals to responsibly report potential security vulnerabilities discovered in Australian Communications and Media Authority (ACMA) products, services or systems.

On this page

We take the security of our information systems and data seriously. While we are active in our efforts to keep our systems secure, vulnerabilities may still exist. This policy allows good-willed security researchers and professionals to share their findings directly with us.

If you believe you have discovered a security vulnerability in any of our products, services or systems, please report it to us at responsible.disclosure@acma.gov.au as soon as possible.

What this policy covers

Our vulnerability disclosure policy covers:

  • any product, service or system wholly owned by us that you have lawful access to/are authorised to use.

Responsible security research on our products, services or systems must be undertaken under Australian law, and not compromise or exploit the ACMA’s data, employees, infrastructure, operations and activities.

The ACMA will act in good faith with parties who report potential security vulnerabilities and will do our best to address each issue in a timely manner.

What this policy doesn’t cover

Under this policy, there are some disallowed research activities. Security researchers and professionals should familiarise themselves with these before starting research.

Activities that are prohibited under this policy include:

  • public disclosure of vulnerability information
  • clickjacking
  • leveraging deceptive techniques, including but not limited to social engineering or phishing
  • Denial of Service (DoS or DDoS) attacks
  • posting, transmitting, uploading, linking to, or sending any malware
  • physical attacks
  • attempts to modify or destroy data
  • attempts to extract or exfiltrate data
  • accessing or attempting to access accounts or data that do not belong to you
  • testing third-party websites, applications or services that integrate with our products, services or systems
  • any action that is unlawful or contrary to legally enforceable terms and conditions for using a product, service or system.

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • misconfigured DNS (domain name system) records such as SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • missing security HTTP (hypertext transfer protocol) headers (e.g. permissions policy)
  • theoretical cross-site request forgery and cross-site framing attacks.

If you aren’t sure about any of the above or require any assistance, please contact responsible.disclosure@acma.gov.au before undertaking any activities.

How to report a vulnerability

Once you’ve established that a vulnerability exists, you should stop testing and report it to us immediately. To responsibly report a potential security vulnerability, email the details to responsible.disclosure@acma.gov.au.

We ask that you provide as much information as possible to allow us to assess and validate your findings, including:

  • an explanation of the potential security vulnerability and the potential impact (if known)
  • date the vulnerability was identified
  • a list of products, services or systems that may be affected, including version numbers (if known)
  • step-by-step instructions for reproducing the vulnerability
  • proof-of-concept code, scripts or screenshots (where applicable)
  • names of any test accounts you have created (where applicable)
  • your contact details.

We may need to contact you for more information. We will handle your report and any personal information you provide to us confidentially and in accordance with our privacy policy.

We also ask that you maintain confidentiality at all times and not disclose any potential security vulnerabilities publicly without our express written consent.

What happens after you make a report

When you report a vulnerability, we will confirm receipt within a reasonable timeframe. 

If you would like public acknowledgement of your contribution, you must let us know and provide us with permission to publish your preferred name or alias. Public recognition will only occur after we have confirmed the validity of your report and decisions to acknowledge contributions remain at our discretion. We will not share your details with any other organisation, without your permission.

As an Australian Government agency, we can’t financially compensate individuals or organisations for finding potential or confirmed security vulnerabilities. 

If you have any questions, contact us at responsible.disclosure@acma.gov.au.

People who have disclosed vulnerabilities

The following people have contributed to our security vulnerability disclosure program (names or aliases published with permission):

  • No current contributions.
Last updated: 09 October 2025
print Print this page
Back to top
ONLINE ENQUIRY