on this page
You can find out how to report a potential cyber security system risk in our online systems, including Centrelink, Medicare, Child Support, and myGov. This information is based on our Cyber Security System Risk Disclosure Policy.
If you identify a potential cyber security system risk, you should:
- report any potential risks using the process on this page
- provide as much information as you can, including your contact details and details about the potential risk
- not test or try to access our systems to check for security risks
- understand that we can’t provide compensation for identifying security risks.
This page isn’t for reporting:
- cyber-attacks
- scam emails or text messages
- unauthorised access to your myGov account.
To report a cyber-attack, complete the Report a cybercrime form on the Australian Signals Directorate website.
If you’ve received a scam email or text, go to Scams and identity theft to learn how to report it.
If someone has accessed your myGov account without permission, go to what to do if things go wrong online.
What the policy covers
This policy covers Services Australia online products and services, including:
- Centrelink
- Medicare
- Child Support
- myGov.
If you identify a potential cyber security system risk in one of our systems, tell us as soon as possible so we can investigate it.
This policy doesn’t allow you to test our systems for cyber security system risks. It also doesn’t cover unlawful activity, including denial-of-service attacks or attempts to modify or destroy data.
What a cyber security system risk is
Cyber security system risks are weaknesses, errors or flaws in a system that can lead to a cyber-attack or data breach for an organisation or website.
Examples of cyber security system risks include:
- broken authentication
- cross-site scripting
- Structured Query Language (SQL) injection
- zero-day vulnerabilities.
A cyber security system risk doesn’t include:
- unauthorised access your myGov account
- scam emails or text messages you’ve received or clicked on
- a cyber-attack on your own system.
How to report a cyber security system risk
To report a cyber security system risk email public.disclosure@servicesaustralia.gov.au.
Include as much information as you can, such as:
- your contact details
- details of the potential cyber security system risk
- the product or service that may be affected
- steps to reproduce the risk
- any code or test accounts you created.
We’ll handle your report confidentially, in line with our privacy policy.
If you report a cyber security system risk, don’t share details with anyone else unless we give you written permission. This helps us protect our payment systems and customer data.
Don’t use this email address to report scam emails or text messages. If you’ve received a scam email or text, go to Scams and identity theft for more information.
What happens after you report
If you report a cyber security system risk, we’ll:
- confirm we received your report within 5 business days
- reply within 21 business days, if we confirm the risk.
We’re committed to protecting our online systems and value the work of the security community. We appreciate the time you take to tell us about potential cyber security system risks.
We can credit you by listing your name or alias on this webpage. This is optional and we will only do this if you give us your permission.
People who have disclosed cyber security system risks
We acknowledge the following people for reporting cyber security system risks:
- Aakash Tayal
- Anthony Jones
- Olligobber
- Pabich Pawel
- Zahir Uddin Ahmad.
Privacy and your personal information
The privacy and security of your personal information are important to us and are protected by law. We collect this information to help improve the security of our services. We only share your information with other parties if you agree, or if the law allows or requires it. Read more about your right to privacy.