Skip links and keyboard navigation

Cyber security vulnerability disclosure statement

The Queensland Government fosters a trusted environment for individuals to disclose vulnerabilities in our products and systems. We encourage responsible security research through online communication channels, websites or direct communication .

Our program is based on ISO/IEC 29147 Information Technology – Security Techniques – Vulnerability Disclosure.

What is vulnerability disclosure?

Vulnerability disclosure is a process through which individuals, such as users, vendors or security researchers work together to find solutions that reduce risks associated with a vulnerability . Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk.

Vulnerability disclosure can include actions such as reporting, coordinating, and publishing details about a vulnerability and its resolution before public disclosure.

The Queensland Government Cyber Security Unit (CSU) also monitors OpenBugBounty.org for identified vulnerabilities.Prohibited research

We will not take legal action against security researchers acting in good faith if a potential security vulnerability is discovered or reported in strict in accordance with this disclosure statement policy.

The following types of research are strictly prohibited:

  • any attempt to modify or destroy any data
  • executing or attempting to execute a denial of service (DoS) attack
  • sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
  • conducting social engineering (including phishing) of Queensland Government employees, contractors or customers or any other party
  • accessing or attempting to access accounts or data that does not belong to you
  • testing third party websites, applications or services that integrate with our services or products
  • posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
  • committing a data breach under any circumstances
  • any activity that violates any law.

Disclose a potential vulnerability

You suspect a vulnerability you can disclose potential security vulnerabilities to the CSU via email at cybersecurityunit@qld.gov.au.

If you discover any vulnerable personal, financial or proprietary information do not proceed any further and contact us immediately.

When reporting a vulnerability, you are encouraged to provide:

  • an explanation of the potential security vulnerability, including details of any exploit with enough information to enable the security team to reproduce it
  • a list of products and services that may be affected
  • proof-of-concept code, scripts and screenshots
  • your contact details for further communication.

After receiving your report, the CSU will:

  • contact you within three working days
  • notify you when the matter has been addressed
  • keep reports confidential (subject to any regulatory and legal requirements)
  • keep your identity confidential unless you choose otherwise.

We do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities outside of our authorised bug-bounty programs.

Due to limited cyber security resources, we ask that you do not report trivial issues that are unlikely to pose a risk to our users, systems or data.