Department of Customer Service Vulnerability Disclosure Program Pilot

DCS Vulnerability Disclosure Program pilot overview

DCS has implemented a Vulnerability Disclosure Program (VDP) to proactively enhance the security of our applications and digital services. This initiative reflects our commitment to strengthening our systems and fostering a culture of shared cyber security responsibility, rather than simply meeting regulatory requirements.

Our pilot VDP is a way for anyone from professional security researchers to curious tinkerers to report a potential vulnerability or cyber security issue on a DCS domain.

We welcome input from security researchers and the public to help strengthen our systems - if you’ve found something that doesn't seem right, we’d love to hear from you.

You can help DCS NSW Government’s cyber security posture

We’re committed to delivering secure and trusted digital experiences for all the people of NSW government however we believe that cyber security is a shared responsibility and that great ideas can come from anywhere. 

You can help us make our digital services better and safer for the people of NSW by reporting a potential vulnerability.

Every valid report will be treated seriously and with respect. We will thoroughly review and validate each submission, engaging with the appropriate teams to address the identified issue.

How to report a potential vulnerability

You can report a potential vulnerability or cyber security issue on the DCS domains listed in Target section of the submission form below. This is a limited list of domains within the current VDP pilot.

We use Bugcrowd to manage and capture vulnerability reports. Bugcrowd is a trusted crowdsourced security platform that connects organisations with security researchers and ethical hackers to help find and fix vulnerabilities.

If you’ve found a cyber security issue on one of these domains keep the process fair and productive, there a few key considerations:

• please don’t access, change, or delete any data that isn’t yours
• avoid any testing that could impact services or users (like spamming or DDoS)
• do not share the issue publicly before reporting it to us, allowing us to fix the issue first
• use the reporting method below to ensure it reaches the correct team
• keep your activities and actions safe, respectful, and within the bounds of Australian law.

Issues and situations not considered security risks

There are a few things we generally don’t consider security risks:

• Performance issues: Problems related to performance that aren't tied to security are typically not part of a vulnerability disclosure. (e.g., slow response times, inefficient resource usage)
• Usability issues: Problems related to how easy or intuitive a system is to use are outside the scope (e.g., confusing interfaces, poor user experience).
• Minor bugs: Small issues that do not impact security are generally excluded unless they have security implications (e.g., visual glitches or features not functioning correctly).
• Social engineering attacks: Any vulnerability that involves manipulating people, rather than systems.
• Privacy issues unrelated to security: Issues that involve user privacy but aren't tied to a technical vulnerability may not be part of vulnerability disclosure (e.g., terms of service violations, mishandling of data).
   

If you are in doubt, still report it

If you have a question or you’re not sure if what you’ve found qualifies, please go ahead and report it anyway. We’re here to help. 

Be a part of our hall of thanks 

If your report leads to a security fix, you’ll have the option to be recognised on our ‘Hall of Thanks’ page. Your name or username will be featured to celebrate your valuable contribution.  

It’s our way of showcasing the impact of these security reports in helping strengthen our security.