Defence is committed to protecting the privacy, security and availability of its systems and services.
The Defence Vulnerability Disclosure Program (VDP) expands Defence’s cyber security capability to include the proactive identification and remediation of information and communications technology (ICT) vulnerabilities.
Program scope
The Program provides the opportunity for individuals to report ICT security vulnerabilities that potentially affect the confidentiality, integrity or availability of Defence information, systems or services.
Use the Reporting technology security vulnerabilities form to report a vulnerability.
Prohibited activities
This program does not authorise or endorse those who have discovered vulnerabilities to perform any penetration testing, or hacking, against Defence systems. Prohibited activities include:
- Social engineering or phishing
- Denial of service (or distributed denial-of-service) attacks
- Physical security testing
- Changing, accessing, or deleting data
- Executing code on Defence systems
- Penetration Testing
- Port scanning
- Vulnerability scanning.
What not to report
Vulnerabilities that do not need to be reported are as follows:
- Expired or self-signed certificates
- Insecure secure sockets layer (SSL) protocols
- Open ports
- Out-of-date software, without an exploitable proof of concept
- Content spoofing vulnerabilities
- Doman name system configuration related issues
- Host header injection, without providing an exploitable scenario
- Hypertext transfer protocol trace method is enabled
- Issues present in older versions of browsers, plugins, or any other software
- Clickjacking SSL vulnerabilities, without a working exploit related to configuration, version, weak ciphers.
- Use of a vulnerable third party library/code snippet, without providing an exploitable scenario
- Info.php, without providing an exploitable scenario.
Resources
Vulnerability Disclosure Program Public Policy (PDF, 293.44 KB)