Australian Taxation Office⌗

Did you know that the Australian Taxation Office has a Vulnerability Disclosure Program?

I was pretty excited when I stumbled across their VDP:
https://www.ato.gov.au/General/Online-services/Online-security/Report-a-system-security-vulnerability/

I reported a security vulnerability to the Australian Taxation Office! 🕵️

Australian Cyber Security Centre⌗

It can be difficult to find the right person or team to escalate a security vulnerability to.

I have reported 20+ security vulnerabilities to service providers with critical infrastructure over the past few years.

When my usual approach of finding the right team does not work, I reach out to the Australian Cyber Security Centre (ACSC) for help.

I have escalated security vulnerabilities via the ACSC when there is a risk to critical infrastructure. Each time they have been responsive and made contact with the service provider or government department.

Vulnerability disclosure programs⌗

I honestly would not have reported a vulnerability to the ATO if I did not stumble across their vulnerability disclosure program. I had noticed the issue but it was not immediately obvious that it was an issue until now.

The vulnerability disclosure program made me think “Have I noticed anything dodgy with any of their systems?”.

Please consider setting up a vulnerability disclosure program to at least make it easier for security researchers to report what they have found.

Thanks!⌗

Thanks ATO for having a VDP and for adding me to the hall of fame! 🥳

Let’s chat on LinkedIn:
https://www.linkedin.com/feed/update/urn:li:share:6959155200779583488