Responsible disclosure guidelines
IntroductionDOC takes the security and privacy of our information seriously. If you identify a security issue with our systems, tell us so that we can get it fixed.
Disclosure of system security issues
We value input from anyone in our community. Disclosure of security issues within our systems helps us to ensure the security and privacy of our information.
If you have identified a security issue within our systems, our information security team will work with you to validate and fix it.
We won’t take legal action against you or suspend or terminate your access to Department services when you follow these guidelines.
The Department reserves all of its legal rights if you do not follow the responsible disclosure guidelines.
Responsible disclosure guidelines
These guidelines are designed to help both you and the Department when you find a security issue with our systems. If you are doing security testing, you should:
- make every effort to avoid:
- a breach of the privacy of individuals
- anything that will slow the system down for other users
- disruption to production systems
- destruction of any data
- perform research only within the scope set out below
- delete, and do not share, any Department confidential information or personal information you might have obtained
- email firstname.lastname@example.org to report security issues with our systems as soon as possible after you find it (see further details below)
- keep information about any security issues with our systems that you’ve discovered confidential between yourself and the Department until we have had an opportunity to fix it.
Our commitment to you
If you act in good faith and follow these responsible disclosure guidelines, we commit to:
- not take any legal action against you related to your research, and cause no damage/disruption to Department services
- be as straightforward and communicative as we can with you
- treat the information you share with us as confidential within the Department and our suppliers, unless we have to disclose it because:
- a third party discovers the security issue within our system before we’ve had the opportunity to resolve it, or
- the information on the security issue within our system is used to cause a privacy breach and the Department is required to handle the breach in accordance with the Privacy Act 2020
- work with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission)
- we may recognise your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue
- not share your personal information with others without your written consent.
As of 27 October 2021, the responsible disclosure guidelines apply to only two specific DOC systems:
It is likely the scope will be expanded in the future.
Out of scope
Any other government departments or agency providers and services are excluded from scope.
For issues that affect other government departments or agency providers, we suggest you contact CERT NZ who offer an anonymous reporting service for system security issues.
In the interest of the safety of our users, employees, the internet at large and you, the following test types are excluded from scope:
- findings from physical testing such as office access (eg open doors, tailgating)
- findings derived primarily from social engineering (eg phishing, whaling)
- findings from applications or systems not listed in the ‘In Scope’ section
- UI and UX bugs and spelling mistakes
- network level Denial of Service (DoS/DDoS) weaknesses
- destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to the Department – this includes any information that may be relevant to you.
How do you report a security issue?
If you believe you’ve found a security issue in one of our products or platforms, send it to us by emailing email@example.com. Write the report clearly and in English, and include the following details:
- type of security issue
- how you found the security issue
- whether the security issue has been published or shared with others
- affected configurations
- exposure or possible exposure of any personal information
- description of the location and potential impact of the security issue
- a detailed description of the steps required to reproduce the issue or risk (proof of concept scripts, screenshots and compressed screen captures are all helpful to us)
- your name/handle for recognition in our Hall of Fame.
These guidelines have been adapted from the Ministry of Social Development | Te Manatū Whakahiato Ora Responsible Disclosure Guidelines.