This policy outlines how CERT Australia will coordinate the disclosure of information relating to reported vulnerabilities that are not publicly known.
CERT Australia seeks to minimise the potential harm caused by the exploitation of vulnerabilities by coordinating their disclosure. This disclosure will also provide vendors and developers with additional time to mitigate the vulnerabilities and enable affected systems of national interest to reduce their exposure.
The discloser, CERT Australia and the affected vendor/developer agree to:
- adopt the procedures outlined in this policy
- operate in accordance with the relevant local law of their jurisdiction
- take reasonable care not to cause undue harm during security research, vulnerability discovery and disclosure
- provide sufficient information on the reported vulnerability as required
- maintain discretion
- keep timely communications.
CERT Australia will:
- facilitate agreement between relevant parties to disclose information regarding a vulnerability to the public
- give due credit or maintain anonymity to the extent possible
- provide fair and impartial treatment to all relevant parties
- make reasonable efforts to contact the discloser and affected vendor/developer prior to the release of the disclosure.
CERT Australia will not:
- provide a reward or incentive such as a ‘bug bounty’, however the affected vendor/developer may elect do so
- recommend or pursue legal action on behalf of another party.
Vulnerabilities may be made public 45 days after CERT Australia notifies the affected vendor/developer, regardless of the existence or availability of patches or other mitigations. This timeframe could change if the vulnerability is:
- being actively exploited
- publicly disclosed by an entity other than CERT Australia
- reported by multiple sources to CERT Australia or the affected vendor/developer
- considered to be exceptionally serious (such as threatening public safety)
- on agreement between the discloser, CERT Australia and the affected vendor/developer.
Reporting to us
What to report to CERT Australia:
- High-impact vulnerabilities. These may affect many users, critical national infrastructure or physical safety and could occur in software components, protocols or hardware
- Vulnerabilities in websites or systems for big business or the Australian Government.
Vulnerability disclosure reports can be made by sending a PGP encrypted email to info [at] cert.gov.au with the following information:
- Details of the vulnerability discovered:
- what products are affected
- what platform(s) the product uses
- what is the likely impact of successful exploitation
- any other relevant information you can supply
- any proof of concept
- any research demonstrating the vulnerability is not public
- contact details
- whether you have been in contact with the affected vendor/developer
- whether the discloser would prefer to remain anonymous.
CERT Australia will respond with further details of the process within two business days.
If a party intends to provide a vulnerability disclosure report to CERT Australia but does not have access to PGP encrypted email, they can contact CERT to arrange other secure means of communication The CERT PGP key can be found on our contact page.
CERT Australia reserves the right to accept or reject any vulnerability disclosure coordination role at our discretion.
Please be aware that the disclaimer available on CERT Australia’s website applies to this policy and any information disclosed pursuant to this policy.
Enquiries regarding this policy should be directed to info [at] cert.gov.au.