Our approach to vulnerability disclosure

Service NSW deeply values the positive impact security researchers have on our ability to provide safe and secure services to our customers.

We employ a bug bounty program through our partnership with Bugcrowd, and we gratefully accept any vulnerability disclosure reports. 

Our commitment to researchers

  • Trust. We maintain complete confidentiality in our professional exchanges with researchers. 
  • Respect. We treat all researchers with respect and recognise your positive contribution to helping keep our customers safe. 
  • Transparency. We will openly work with researchers to validate and remediate reported vulnerabilities in accordance with our commitments to security and privacy. 
  • Common good. We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability. 

Our ask of researchers

  • Trust. We ask that researchers communicate potential vulnerabilities with us in a responsible manner, providing us sufficient time and information to validate and address any potential issues. 
  • Respect. We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. 
  • Transparency. We request that researchers provide the technical details and background necessary for our team to identify and validate the reported issues. 
  • Common good. We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address the reported issues. 

How to report a vulnerability

We encourage you to submit details of suspected vulnerabilities across any asset owned, controlled, operated or maintained by Service NSW, including public-facing websites under the service.nsw.gov.au domain or the Service NSW mobile application. 

We are currently working on a new contact form for your submissions. This form will be active in late June 2022, so please check back later.

Please note that Service NSW cannot accept vulnerability reports on behalf of other NSW Government departments or agencies related to assets owned by other departments or agencies.  

The Service NSW Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We will keep you informed throughout the process.