A vulnerability is a technical issue with an Australian Institute of Family Studies website or service which attackers or hackers could use to exploit the website or its users.

Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.

You will not be paid a reward for reporting a vulnerability (i.e. a 'bug bounty').

Reporting a vulnerability

Include in your report:

• the service and URL of the page where you found the vulnerability
• a description of the type of vulnerability - for example, XSS vulnerability
• details of the steps we need to take to reproduce the vulnerability
• screenshots or logs if you have them

Report a vulnerability using this form or this email.

Guidelines for reporting a vulnerability

When you are investigating and reporting a vulnerability on a aifs.gov.au domain or subdomain, you must not:

• break the law
• access unnecessary or excessive amounts of data
• modify data
• use high-intensity or destructive scanning tools
• try a denial of service
• disrupt the Australian Institute of Family Studies services or systems
• tell other people about the vulnerability you have found
• social engineer, phish or physically attack our staff or infrastructure
• demand money to disclose the vulnerability

Only submit reports about exploitable vulnerabilities through this form or this email.

Contact the Australian Institute of Family Studies to report other issues including:

• a non-exploitable vulnerability
• something you think could be improved - for example, missing security headers
• TLS configuration weaknesses - for example, weak cipher suite support

Data protection

You must ensure data is protected when reporting a vulnerability. This means you cannot share any data you might retrieve from an Australian Institute of Family Studies website or service when researching a vulnerability.

You must keep the data secure until you delete it. You must delete the data as soon as we no longer need it or no later than 14 days after a vulnerability has been resolved - whichever comes first.

After you report a vulnerability

If you provide us with your contact details, you'll receive confirmation that we have received your report within 5 working days. We'll try to assess your report within 10 working days. We prioritise fixes by impact, severity, and exploit complexity.

Once a vulnerability has been fixed, we can work with you to disclose and publish a report.