Skip to main content

Vulnerability disclosure policy

About this policy

The Office of the Special Investigator (OSI) prioritises the security of our systems and the data we hold. We take every effort to keep our ICT systems secure, however acknowledge that despite this there may still be vulnerabilities.

This policy outlines how a person who has identified a vulnerability or potential vulnerability should notify the OSI, and the steps we will take on receipt of this information.

If you think you have found a potential vulnerability in an OSI system, please tell us as soon as possible.

We will not compensate you for finding potential or confirmed vulnerabilities. However, we can credit you as the person who discovered the vulnerability, unless you tell us not to.

What this policy covers

This policy covers:

  • any product or service operated by the OSI to which you have lawful access.

This policy does not cover:

  • clickjacking
  • social engineering or phishing
  • weak or insecure SSL ciphers and certificates
  • denial of service (DoS or DDoS) attacks
  • posting, transmitting, uploading, linking to, or sending any malware
  • physical attacks
  • attempts to modify or destroy data
  • attempts to extract or exfiltrate sensitive data.

How to report a vulnerability

To report a potential vulnerability, use the OSI Contact us form, making sure you include enough detail so we can reproduce your steps.

Specifically, please include:

  • the name of the affected product or software
  • the affected version of the product or software
  • sufficient details of the vulnerability. You may describe multiple vulnerabilities here rather than submitting multiple forms, if the vulnerabilities affect the same product.
  • step by step instructions to reproduce the vulnerability.

If you report a vulnerability under this policy, you must keep it confidential. Do not make it public until we have finished investigating and fixed or mitigated the vulnerability.

What happens next

We will:

  • respond to your report within five business days
  • work with our service providers to resolve the issue
  • keep you informed of our progress
  • agree upon a date for public disclosure.

People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • none recorded at this time.