Report a cyber security system risk

How to report cyber security system risks in our online systems, including myGov.

Our System Security Risk Disclosure policy outlines how you can tell us if you believe you’ve found a potential cyber security system risk within our online systems, including myGov.

Through this policy you should:

  • report any potential cyber security risks by using the process listed on this site
  • provide as much information as possible, including contact information and details of potential cyber security system risks
  • not breach our systems to test for security risks
  • understand we can’t provide any compensation for finding security risks.

What the policy covers

This policy covers any product or service operated by Services Australia that’s available for you to use. These include:

  • Centrelink
  • myGov
  • Medicare.

The policy doesn’t allow you to hack into our systems to test for cyber security system risks. If you find a risk or issue with our IT systems that might make it less secure, you must inform us as soon as possible. We can test it and confirm if it’s correct.

It doesn’t cover anything that is against the law. This can include but is not limited to denial-of-service attacks and attempts to modify or destroy data.

What a cyber system security risk is

Cyber Security system risks are weaknesses, errors or flaws, within a system that can lead to a cyber attack or data breach.

Some vulnerability types that researchers and customers may report include:

  • broken authentications
  • cross-site scripting
  • Structured Query Language (SQL) injections
  • zero-day vulnerabilities.

How to report a cyber security system risk

To report a potential cyber security system risk provide as much information as possible, including:

  • your contact details
  • an explanation of the potential cyber security system risk
  • the products and services that may be affected
  • steps to reproduce the risk
  • any technical coding or test accounts you have created.

We’ll handle your report confidentially in line with our privacy policy.

If you report a cyber security system risk, don’t tell anyone else without our permission in writing. The security of our payment systems and customer data is a priority for us.

Please report your cyber security system risk by email to public.disclosure@servicesaustralia.gov.au.

Please don’t use this email address to report a scam email that you’ve received. If you’ve received a scam email or text go to Scams and identity theft for more information.

What the report process is

If you tell us about a cyber security system risk, we’ll:

  • confirm we received your submission within 5 business days
  • reply to your submission within 21 business days.

We’re committed to protecting the integrity of our online systems and we value the work the security community does. We appreciate when researchers or our customers take the time to tell us about potential cyber security system risks.

We can credit you by listing your name or alias on this webpage. This is optional and we will only do this if you give us your permission.

People who have disclosed cyber security system risks

The following people have identified cyber security system risks:

  • Aakash Tayal
  • Anthony Jones
  • Olligobber
  • Pabich Pawel.

Privacy and your personal information

The privacy and security of your personal information is important to us and is protected by law. We collect this information to improve the security of our services. We only share your information with other parties where you have agreed, or where the law allows or requires it. Read more about your right to privacy.

Page last updated: 2 October 2024.
QC 64983