Vulnerability Disclosure Program

The Courts and Tribunal are committed to ensuring the security  and integrity of our systems and data. In alignment with the Australian  Information Security Manual (ISM), we recognise the valuable role that security  researchers and general public play in identifying and reporting  vulnerabilities. This Vulnerability Disclosure Program (VDP) outlines the  permitted activities a researcher can perform, the process for reporting  potential security vulnerabilities, and the of the response Courts and  Tribunal.

​​​Purpose of the Vulnerability Disclosure Program

A vulnerability disclosure program (VDP) is a collection of  processes and procedures designed to identify, verify, resolve, and report on  vulnerabilities disclosed by people who may be internal or external to  organisations.  We appreciate the efforts  of responsible researchers and is committed to improving the security of our  systems.

This program does not authorise or endorse any researcher or  group to perform penetration testing, or hacking, against our systems.

Program Scope 

  • This VDP applies to all systems and services  that you are legally permitted to access for Reporting a Vulnerability.
Researchers are encouraged to report vulnerabilities via the  following means:

When reporting a vulnerability, please include the following  information: 

  1. A description and  details of the security vulnerability, including the type of issue 
  2. List of  potentially affected services (where possible) 
  3. Detailed steps to  reproduce the vulnerability, including any relevant URLs, parameters, and  sample code. 
  4. Proof-of-concept  code (where applicable) 
  5. Your contact  information for further correspondence (optional but encouraged) and; 
  6. Whether you would  like public acknowledgement for your contribution (under the acknowledgments  section of this webpage), and the name you would like to be acknowledged under.

If you report a vulnerability, you  must keep it confidential and not make a public notification or announcement of  the vulnerability until the vulnerability has been remediated.

Post-Disclosure Process

When you report a vulnerability, we will: 

  • Respond to you within 2-5 business days 
  • Recognise  your contribution to our program if you choose public acknowledgement for your  contribution.

We will not: 

  • Financially compensate you for reporting, or 
  • Share your details with any other organisation,  without your permission.

Disallowed Activities

To ensure the integrity of the program, there are several  activities that are not permitted under this Program. The following types of  research are not permitted: 

  • Social engineering or phishing 
  • Denial of Service (DoS) or Distributed DoS  (DDoS) attacks 
  • Physical attacks 
  • Attempts to modify or destroy data 
  • Clickjacking 
  • Accessing or attempting to access accounts or  data that does not belong to you 
  • Any activity that violates any law 
  • Posting, transmitting, uploading, linking to, or  sending any malware 
  • Automated vulnerability scan reports 
  • Leverage deceptive techniques 
  • Exfiltrating any data under any circumstances 
  • Testing third-party websites, applications, or  services that integrate with services or products 
  • Disclosure of known public files or directories 
  • Lack of Secure or HTTP Only flags on  non-sensitive cookies 
  • Usage of a known vulnerable library or framework  without valid attack scenario

Do not report security vulnerabilities relating to missing  security controls or protections that are not directly exploitable. Examples include: 

  • Weak, insecure or misconfigured SSL (secure  sockets layer) or TLS (transport layer security) certificates
  • Misconfigured DNS (domain name system) records  including, but not limited to SPF (sender policy framework) and DMARC  (domain-based message authentication reporting and conformance)
  • Legal & Privacy Considerations

By participating in this VDP, you  agree to comply with all laws and refrain from any activity that could cause  harm to the Courts and Tribunal or its stakeholders. The Courts and Tribunal  reserve the right to modify this policy at any time.

Personal information submitted in  connection with a vulnerability report will be used solely for the purpose of  contacting the reporter and addressing the reported vulnerability. It will not  be shared with third parties without the reporter's explicit consent unless  required by law.


We will publish the names or  aliases of people who contribute to our security Vulnerability Disclosure  Program below with their permission (non-offensive names only).​


By  following this Vulnerability Disclosure Program, you help us protect our  systems and data, ensuring a secure environment for all. We appreciate your  contributions to our cybersecurity efforts.

At June 2024