Vulnerability Disclosure Program

The Courts and Tribunal are committed to ensuring the security and integrity of our systems and data. In alignment with the Australian Information Security Manual (ISM), we recognise the valuable role that security researchers and general public play in identifying and reporting vulnerabilities. This Vulnerability Disclosure Program (VDP) outlines the permitted activities a researcher can perform, the process for reporting potential security vulnerabilities, and the of the response Courts and Tribunal.  

Purpose of the Vulnerability Disclosure Program

A vulnerability disclosure program (VDP) is a collection of processes and procedures designed to identify, verify, resolve, and report on vulnerabilities disclosed by people who may be internal or external to organisations.  We appreciate the efforts of responsible researchers and is committed to improving the security of our systems.

This program does not authorise or endorse any researcher or group to perform penetration testing, or hacking, against our systems.

Program Scope

  • This VDP applies to all systems and services that you are legally permitted to access for Reporting a Vulnerability.

Researchers are encouraged to report vulnerabilities via the following means:


When reporting a vulnerability, please include the following information:

  1. A description and details of the security vulnerability, including the type of issue
  2. List of potentially affected services (where possible)
  3. Detailed steps to reproduce the vulnerability, including any relevant URLs, parameters, and sample code.
  4. Proof-of-concept code (where applicable)
  5. Your contact information for further correspondence (optional but encouraged) and;
  6. Whether you would like public acknowledgement for your contribution (under the acknowledgments section of this webpage), and the name you would like to be acknowledged under.

If you report a vulnerability, you must keep it confidential and not make a public notification or announcement of the vulnerability until the vulnerability has been remediated.

Post-Disclosure Process

When you report a vulnerability, we will:

  • Respond to you within 2-5 business days
  • Recognise your contribution to our program if you choose public acknowledgement for your contribution.

We will not:

  • Financially compensate you for reporting, or
  • Share your details with any other organisation, without your permission.

Disallowed Activities

To ensure the integrity of the program, there are several activities that are not permitted under this Program. The following types of research are not permitted:

  • Social engineering or phishing
  • Denial of Service (DoS) or Distributed DoS (DDoS) attacks
  • Physical attacks
  • Attempts to modify or destroy data
  • Clickjacking
  • Accessing or attempting to access accounts or data that does not belong to you
  • Any activity that violates any law
  • Posting, transmitting, uploading, linking to, or sending any malware
  • Automated vulnerability scan reports
  • Leverage deceptive techniques
  • Exfiltrating any data under any circumstances
  • Testing third-party websites, applications, or services that integrate with services or products
  • Disclosure of known public files or directories
  • Lack of Secure or HTTP Only flags on non-sensitive cookies
  • Usage of a known vulnerable library or framework without valid attack scenario

Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:

  • Weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
  • Misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
  • Legal & Privacy Considerations

By participating in this VDP, you agree to comply with all laws and refrain from any activity that could cause harm to the Courts and Tribunal or its stakeholders. The Courts and Tribunal reserve the right to modify this policy at any time.

Personal information submitted in connection with a vulnerability report will be used solely for the purpose of contacting the reporter and addressing the reported vulnerability. It will not be shared with third parties without the reporter’s explicit consent unless required by law.


We will publish the names or aliases of people who contribute to our security Vulnerability Disclosure Program below with their permission (non-offensive names only).​

By following this Vulnerability Disclosure Program, you help us protect our systems and data, ensuring a secure environment for all. We appreciate your contributions to our cybersecurity efforts.