Report a cyber security system risk

How to report cyber security system risks in our online systems.

Our cyber security system risk disclosure policy outlines how you can tell us if you believe you’ve found a potential cyber security system risk within our online systems, including myGov.

Through this policy you should:

  • report any potential cyber security system risks by using the process listed on this site
  • provide as much information as possible, including contact information and details of potential cyber security system risks
  • not breach our systems to test for security risks
  • understand we can’t provide any compensation for finding security risks.

What the policy covers

This policy covers any product or service operated by Services Australia that’s available for you to use. These include:

  • Centrelink
  • myGov
  • Medicare.

The policy doesn’t allow you to test our systems for cyber security system risks. If you find a risk or issue with our IT systems that might make it less secure, you must inform us as soon as possible. We can test it and confirm if it’s correct.

It doesn’t cover anything that is against the law. This can include but is not limited to denial-of-service attacks and attempts to modify or destroy data.

What a cyber system security risk is

Cyber security system risks are weaknesses, errors or flaws within a system that can lead to a cyber attack or data breach to an organisation or website.

Some vulnerability types you could report include:

  • broken authentications
  • cross-site scripting
  • Structured Query Language (SQL) injections
  • zero-day vulnerabilities.

A cyber security system risk is not:

  • an unauthorised attempt to access your myGov account
  • a scam email or text message you have received or clicked on.

How to report a cyber security system risk

To report a potential cyber security system risk provide as much information as possible, including:

  • your contact details
  • an explanation of the potential cyber security system risk
  • the products and services that may be affected
  • steps to reproduce the risk
  • any technical coding or test accounts you have created.

We’ll handle your report confidentially in line with our privacy policy.

If you report a cyber security system risk, don’t tell anyone else without our permission in writing. The security of our payment systems and customer data is a priority for us.

Please don’t use this email address to report a scam email that you’ve received. If you’ve received a scam email or text go to Scams and identity theft for more information. If someone has accessed or attempted to access your myGov account without your permission go to what to do if things go wrong online.

Please report your cyber security system risk by email to public.disclosure@servicesaustralia.gov.au.

What the report process is

If you tell us about a cyber security system risk, we’ll:

  • confirm we received your submission within 5 business days
  • reply to your submission within 21 business days if the report is verified.

We’re committed to protecting the integrity of our online systems and we value the work the security community does. We appreciate the time taken to tell us about potential cyber security system risks.

We can credit you by listing your name or alias on this webpage. This is optional and we will only do this if you give us your permission.

People who have disclosed cyber security system risks

The following people have identified cyber security system risks:

  • Aakash Tayal
  • Anthony Jones
  • Olligobber
  • Pabich Pawel
  • Zahir Uddin Ahmad.

Privacy and your personal information

The privacy and security of your personal information is important to us and is protected by law. We collect this information to improve the security of our services. We only share your information with other parties where you have agreed, or where the law allows or requires it. Read more about your right to privacy.

Page last updated: 9 December 2024.
QC 64983