Responsible Disclosure guidelines

On this Page:

Responsible disclosure of security issues
What to tell us
Our commitment to you
What you should do
What you should not do
Reference

Responsible disclosure of security issues

If you find a security issue with our online systems, please tell us so that we can get it fixed. Our goal is to protect people’s privacy. That means getting vulnerabilities fixed as soon as possible.

It also means encouraging people to tell us about vulnerabilities. So, we want to work with anyone who tells us about vulnerabilities in our system.

These guidelines apply to the Ministry of Social Development website or sites linked to MSD, such as:

msd.govt.nz
workandincome.govt.nz
studylink.govt.nz
supergold.govt.nz.

If you find a vulnerability, please email us at IT_Security@msd.govt.nz.

For issues affecting other government agencies, please report via Report it @ NCSC.

What to tell us

Please tell us what you can of the following information without doing any further work on the vulnerability.

A clear description of the security issue, for example:
1. type of vulnerability
2. affected products and versions
3. affected configurations
Where and how you found it, include, if possible:
1. screenshots if possible
2. step-by-step instructions
3. proof of concept codes to replicate the issue (if you have this)
Whether the issue has been shared or published
Whether any personal information has been exposed or could be exposed
What has happened with any personal information exposed
Your name and contact details.

We will acknowledge your report and work with you to validate and resolve the issue. We appreciate your time and effort in helping us improve our security.

Our commitment to you

If you follow these guidelines, we commit to:

communicating openly and clearly with you
treating your report as confidential within the Ministry and our suppliers, unless:

a third party discovers the issue before we resolve it, or
the issue causes a privacy breach requiring disclosure under the Privacy Act 2020

not taking legal action against you if you follow these guidelines and cause no harm
responding to your report within seven days
recognising your contribution with a letter of acknowledgement if you are the first to report the issue and it results in a code or configuration change.

Note: The Ministry does not offer financial rewards or bug bounties.

What you should do

Delete and do not share any confidential or personal information you may have accessed.

Keep all information about the issue confidential between you and the Ministry until we’ve resolved it.

What you should not do

Some types of behaviour are not reasonable research approaches. Please do not try actions that can cause harm:

Denial of Service (DoS) attacks
slowing down systems for users
disrupting production systems
accessing data or information that does not belong to you. (Once you see there is a problem that exposes information, please do not look for more such information – one example is enough.)
destroying or corrupting data or information that does not belong to you
sharing any personal information you obtained.

Reference

These guidelines are based on the NZITF Coordinated Disclosure Guidelines and the Disclose.io framework.

Print this page