At the Parliament of NSW, we take the security and privacy of our digital systems seriously. We welcome responsible disclosure of security vulnerabilities and value the contributions of security researchers and members of the public who help us strengthen our cyber resilience.
Scope
This program applies to all publicly accessible digital assets operated by the Parliament of NSW under the *.parliament.nsw.gov.au domain.
It does not include:
Third-party services, products, or systems not owned or managed by the Parliament;
Systems belonging to Members of Parliament, electorate offices, or other entities using Parliament's infrastructure but managing their own IT environments.
How to Report a Vulnerability
If you believe you have identified a security vulnerability in one of our systems, please notify us by email at: [email protected] with the subject line “Vulnerability Disclosure: [brief description]".
Your report should include:
A clear description of the vulnerability and its potential impact.
The system or URL where it was discovered.
Steps required to reproduce the issue.
Any supporting evidence (e.g., screenshots, proof-of-concept code, or logs).
Your contact information (name or preferred alias, and an email address we can use to communicate with you).
You may choose to remain anonymous; however, providing contact details will help us follow up with you for clarification or updates.
Please do not publicly disclose details of the vulnerability until it has been resolved.
What to Expect
If confirmed, remediation activities will be prioritised accordingly.
We may contact you for further information during our investigation.
You will be notified when the investigation has been completed. Once resolved, we may (with your consent) acknowledge your contribution publicly.
We do not offer monetary rewards or bounties for vulnerability disclosures.
Safe Harbour
If you act in good faith and comply with this policy:
You must not:
Access, modify, or delete data that is not your own.
Exploit a vulnerability beyond confirming its existence.
Disrupt or degrade services (e.g. through Denial-of-Service testing).
Use social engineering, phishing, or physical intrusion methods.
Target third-party or supplier systems.
Testing should be limited to actions necessary to demonstrate the vulnerability.
Out-of-Scope Activities:
The following activities are out of scope for this program:
Denial of Service (DoS/DDoS) attacks or resource-exhaustion attacks.
Social engineering or phishing activities.
Physical security testing or physical access attempts.
Attacks on third-party systems, products, or vendors.
Automated scanning or testing that generates excessive traffic or impacts system performance.
Privacy
When you contact us, the Parliament of NSW will collect your personal information (such as your name, alias, and email address) for the purpose of managing and responding to your vulnerability report.
Your information will be handled in accordance with the Privacy and Personal Information Protection Act 1998 (NSW) and will not be shared outside Parliament unless required for investigation or by law.
If you choose to remain anonymous, please note that we may not be able to contact you with updates or acknowledgements.
Legal Notice
This program does not authorise hacking, penetration testing, or any activity that may contravene Australian law, including the Criminal Code Act 1995 (Cth) or the Cybercrime Act 2001 (Cth).
All vulnerability discovery and reporting must be conducted responsibly and within legal boundaries.
Acknowledgement
We thank the security community and members of the public for helping us protect the information and systems that support the work of the Parliament of New South Wales.
