Australian Taxation Office

Did you know that the Australian Taxation Office has a Vulnerability Disclosure Program?

I was pretty excited when I stumbled across their VDP:

I reported a security vulnerability to the Australian Taxation Office! 🕵️

Australian Cyber Security Centre

It can be difficult to find the right person or team to escalate a security vulnerability to.

I have reported 20+ security vulnerabilities to service providers with critical infrastructure over the past few years.

When my usual approach of finding the right team does not work, I reach out to the Australian Cyber Security Centre (ACSC) for help.

I have escalated security vulnerabilities via the ACSC when there is a risk to critical infrastructure. Each time they have been responsive and made contact with the service provider or government department.

Vulnerability disclosure programs

I honestly would not have reported a vulnerability to the ATO if I did not stumble across their vulnerability disclosure program. I had noticed the issue but it was not immediately obvious that it was an issue until now.

The vulnerability disclosure program made me think “Have I noticed anything dodgy with any of their systems?”.

Please consider setting up a vulnerability disclosure program to at least make it easier for security researchers to report what they have found.


Thanks ATO for having a VDP and for adding me to the hall of fame! 🥳

Let’s chat on LinkedIn: