I reported a security vulnerability to the ATO!
Australian Taxation Office#
Did you know that the Australian Taxation Office has a Vulnerability Disclosure Program?
I was pretty excited when I stumbled across their VDP:
https://www.ato.gov.au/General/Online-services/Online-security/Report-a-system-security-vulnerability/
I reported a security vulnerability to the Australian Taxation Office! 🕵️
Australian Cyber Security Centre#
It can be difficult to find the right person or team to escalate a security vulnerability to.
I have reported 20+ security vulnerabilities to service providers with critical infrastructure over the past few years.
When my usual approach of finding the right team does not work, I reach out to the Australian Cyber Security Centre (ACSC) for help.
I have escalated security vulnerabilities via the ACSC when there is a risk to critical infrastructure. Each time they have been responsive and made contact with the service provider or government department.
Vulnerability disclosure programs#
I honestly would not have reported a vulnerability to the ATO if I did not stumble across their vulnerability disclosure program. I had noticed the issue but it was not immediately obvious that it was an issue until now.
The vulnerability disclosure program made me think “Have I noticed anything dodgy with any of their systems?”.
Please consider setting up a vulnerability disclosure program to at least make it easier for security researchers to report what they have found.
Thanks!#
Thanks ATO for having a VDP and for adding me to the hall of fame! 🥳
Let’s chat on LinkedIn:
https://www.linkedin.com/feed/update/urn:li:share:6959155200779583488