Vulnerability Disclosure Policy

This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within the NDIA.

About the policy

NDIA is committed to protecting the systems that deliver the National Disability Insurance Scheme (NDIS), and the information held within them. We encourage the security community to report any potential vulnerabilities uncovered as soon as possible.

If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible.

We will not compensate you for finding potential or confirmed vulnerabilities, however will credit you as the person who discovered the vulnerability unless you tell us not to.

Security research within scope of this policy

This policy covers:

  • Any product or service wholly owned by our Agency to which you have lawful access.

Security research out of scope of this policy

This policy does not cover:

  • Clickjacking
  • Social Engineering or phishing
  • Weak or insecure SSL ciphers or certificates
  • Denial of Service (DOS)
  • Physical attacks against the NDIS or NDIA, its employees or property belonging to NDIA or its employees
  • Attempts to modify or destroy data
  • Actions that violate Australian law.

How to report a vulnerability

Please email [email protected] with enough detail, that we can replicate and validate the vulnerability.

We operate our VDP under the responsible disclosure method, and ask that you do not disclose the vulnerability until we have had enough time to remediate it.

We will:

  • Respond to your report within 5 business days
  • Keep you informed of our progress
  • Agree upon a date for public disclosure
  • Credit you as the person who discovered the vulnerability unless you tell us not to.

People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • Satyam Singh
  • Chaudhary Pawan Rawat 
  • Nikhil Rane
  • Shae Anderson - (two (2) disclosures)
This page current as of
23 August 2022
Indicates required field
Was this page useful?*
Why not?