The online security of our systems is our top priority. We take every care to keep them secure. But despite our efforts, they may still be vulnerable.
We are keen to engage with the security community. Our security vulnerability disclosure policy allows you to responsibly share your findings with us.
If you think you have identified a vulnerability in one of our systems, services or products, report it to us as quickly as possible.
As an Australian Government agency we can't compensate you for finding potential or confirmed vulnerabilities. However, we can recognise you by publishing your name or alias on this page.
Our policy doesn't authorise you to conduct security testing against the ATO. If you think a vulnerability exists, report it to us. We can test and verify it.
Our security vulnerability disclosure policy covers:
- any product or service wholly owned by us to which you have lawful access
- any product, service and infrastructure we provide to shared service partners to which you have lawful access
- any services that are owned by third parties but utilised as part of our services that you have lawful access to.
Under this policy, you must not:
- disclose vulnerability information publicly
- engage in physical testing of government facilities
- leverage deceptive techniques, such as social engineering, against ATO employees, contractors or any other party
- execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service)
- leverage automated vulnerability assessment tools
- introduce malicious software or similar harmful software that could impact our services, products or customers or any other party
- engage in unlawful or unethical behaviour
- reverse engineer ATO products or systems
- modify, destroy, exfiltrate, or retain data stored by the ATO
- submit false, misleading or dangerous information to ATO systems
- access or attempt to access accounts or data that does not belong to you.
Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include:
- weak, insecure or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates
- misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance)
- missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy)
- theoretical cross-site request forgery and cross-site framing attacks.
To report a potential security vulnerability, send details to VulnerabilityDisclosure@ato.gov.au.
Provide as much information as possible, including:
- an explanation of the potential security vulnerability
- listing the products and services that may be affected (where possible)
- steps to reproduce the vulnerability
- proof-of-concept code (where applicable)
- names of any test accounts you have created (where applicable)
- your contact details.
We ask that you also maintain confidentiality. Don't publicly disclose details of any potential security vulnerabilities without our written consent.
When you report a vulnerability, we will:
- respond to you within 2 business days
- recognise your contribution to our program.
We will not:
- financially compensate you for reporting
- share your details with any other organisation, without your permission.
If you have any questions, contact us at VulnerabilityDisclosure@ato.gov.au.
The names or aliases of people who contribute to our security vulnerability disclosure program will be published with their permission and shown below:
- Harrison Mitchell
- Cyril Luk
- Tim McMahon
- Callum Macarthur
- Scott Sturrock