Defence is committed to protecting the privacy, security and availability of its systems and services. When technology vulnerabilities are found, it is important to avoid all activities that may pose a further threat to systems and data security.

Helping to reduce cyber risk, individuals and organisations are encouraged to report information related to Defence technology security vulnerabilities.

What to report

When reporting a vulnerability provide details, including:

  • potential impact of exploitation
  • where the vulnerability was found, such as hostname, URL, IP address or radio frequency band
  • specific tools or techniques used to discover the vulnerability
  • what access or other conditions an attacker requires to exploit the vulnerability
  • details of potential gains/benefits if the vulnerability was exploited
  • advise if there are any known active exploitations.

What not to report

Vulnerabilities that do not need to be reported include all routine security vulnerabilities, such as:

  • out-of-date software
  • expired secure sockets layer (SSL) certificates
  • insecure SSL protocols
  • domain name service (DNS) configuration issues
  • issues in older versions of browsers, plugins and other software. 

Reporting form

Vulnerabilities can be reported by completing and submitting the form below. Multiple vulnerabilities can be reported in the same submission.
Reports can be submitted anonymously by leaving this field blank. If a name is provided this may be acknowledged in vulnerability reporting.
Describe the vulnerability, including the discovery method, source location, at risk applications, dependencies, conditions, impacts, attacker reward, active exploitations, etc.

Contacts

1800 333 362 (1800 Defence)