Report a system security risk

How to report IT security risks in our online systems, including myGov.

Our System Security Risk Disclosure policy outlines how you can tell us if you believe you’ve found a potential IT security risk within our online systems, including myGov.

Through this policy you should:

  • report any potential cyber security risks by using the process listed on this site
  • provide as much information as possible, including contact information and details of potential cyber security risks
  • not breach our systems to test for security risks
  • understand we can’t provide any compensation for finding security risks.

What the policy covers

This policy covers any product or service operated by Services Australia that’s available for you to use. These include:

  • Centrelink
  • myGov
  • Medicare.

The policy doesn’t allow you to hack into our systems to test for security risks. If you find a risk or issue with our IT systems that might make it less secure, you must inform us as soon as possible. We can test it and confirm if it’s correct.

It doesn’t cover anything that is against the law. This can include but is not limited to denial-of-service attacks and attempts to modify or destroy data.

How to report a security risk

Email Public Disclosure to report a potential security risk.

Provide as much information as possible, including:

  • your contact details
  • an explanation of the potential security risk
  • the products and services that may be affected
  • steps to reproduce the risk
  • any technical coding or test accounts you have created.

We’ll handle your report confidentially in line with our privacy policy.

If you report a security risk, don’t advise anyone else without our permission in writing. The security of our payment systems and customer data is a priority for us.

What the report process is

If you tell us about a security risk, we’ll:

  • confirm we received your submission within 5 business days
  • reply to your submission within 21 business days.

We’re committed to protecting the integrity of our online systems and we value the work the security community does. We appreciate when researchers or our customers take the time to tell us about potential security risks.

We can credit you by listing your name or alias on this webpage. This is optional and we will only do this if you give us your permission.

People who have disclosed security risks

We will list the names or aliases of people who have identified security risks here, as they become available with their permission.

Aakash Tayal has identified a security risk.

Anthony Jones has identified a security risk.

Privacy and your personal information

The privacy and security of your personal information is important to us, and is protected by law. We collect this information to improve the security of our services. We only share your information with other parties where you have agreed, or where the law allows or requires it. Read more about your right to privacy.

Page last updated: 31 May 2024.
QC 64983