Responsible Disclosure Guidelines

The New Zealand Intelligence Community (NZIC) takes the security and privacy of our information seriously. Despite our efforts, there may be vulnerabilities that may create security issues. 

Disclosure of any security issue with our systems helps us to ensure the security and privacy of our information.

The Responsible Disclosure Guidelines are designed to help you and the New Zealand Intelligence Community (NZIC) if you identify a security issue with our systems.

We value input from anyone in our community. If you have identified a security issue, please report the security issue to us as soon as possible so that we can get it fixed.  Our IT Security team will work with you to validate and fix it.

We will not take legal action against you, suspend or terminate your access to our services as long as you follow these guidelines when reporting the issue to us.

The NZIC reserves all of its legal rights if you do not follow the Responsible Disclosure Guidelines.

How do you report a security issue?

If you believe you have found a security issue with our systems, please send it to us by emailing web@nzic.govt.nz. Please write the report clearly and in English, and include the following details:

  • type of security issue
  • how you found the security issue
  • whether the security issue has been published or shared with others
  • affected configurations
  • exposure, or possible exposure, of any personal information
  • description of the location and potential impact of the security issue
  • a detailed description of the steps required to reproduce the issue or risk (Proof of concept scripts, screenshots, and compressed screen captures are all helpful to us).

We will acknowledge receipt of your report within seven days and provide an outline response plan where applicable.

If you are doing security testing, please:

  • make every effort to avoid:
    • a breach of the privacy of individuals,
    • anything that will slow the system down for users,
    • disruption to production systems, or
    • destruction of data.
  • perform research only within the scope set out below
  • delete, and do not share, any NZIC confidential information or personal information you might have obtained
  • keep information about any security issues with our systems that you discovered confidential between yourself and the NZIC until we have had an opportunity to fix it.

In scope

The Responsible Disclosure Guidelines apply to the following NZIC websites:

Out of scope

Services hosted by third-party providers or vendors are excluded from scope.

Any other government departments or agency providers and services are excluded from scope.

For issues that affect other government departments or agency providers, we suggest utilising the anonymous reporting service for system security issues on the CERT NZ website(external link). CERT NZ is a part of the Government Communications Security Bureau’s (GCSB’s) National Cyber Security Centre.

In the interest of the safety of our employees, other users, you, and the internet at large, the following test types are excluded from scope:

  • findings from physical testing such as office access (e.g. open doors, tailgating)
  • findings derived primarily from social engineering (e.g. phishing, whaling)
  • findings from applications or systems not listed in the ‘In scope’ section
  • UI and UX bugs and spelling mistakes
  • network level Denial of Service (DoS/DDoS) weaknesses
  • destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to the NZIC.  This includes any information that may be relevant to you.

Our Commitment to you

If you follow these Responsible Disclosure Guidelines when reporting an issue to us, we commit to:

  • being as straightforward and communicative as we can with you
  • treat the information you share with us confidential within the NZIC and our suppliers, unless we have to disclose it because:
    • a third party discovers the security issue within our system before we have had the opportunity to resolve it, or
    • the information on the security issue within our system is used to cause a privacy breach and the NZIC is required to handle the breach in accordance with the Privacy Act 2020.
  • not take any legal action against you related to your research provided you follow the Responsible Disclosure guidelines, keep our information confidential, and cause no damage/disruption to NZIC services.
  • work with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission).

This information disclosure policy was written in combination with the NZITF Coordinated Disclosure Guidelines(external link).