Information Security Manual (ISM)

Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports.  Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme. Version 3.8 of this manual was released in September 2024.