Vulnerability Disclosure Policy

We value input from anyone in our community. Disclosure of security issues within our systems helps us to ensure the security and privacy of our information.

If you have identified a security issue within our systems, our IT Security team will work with you to confirm and fix it.

If you follow the Responsible Disclosure Guidelines below to report an issue to us, we will receive your disclosure on a “no blame” basis. We won’t take legal action against you or suspend or terminate your access to Ministry services.

The Ministry reserves all of its legal rights if you do not follow the Responsible Disclosure Guidelines below.

These guidelines are designed to help both you and the Ministry when you find a security issue with our systems. If you are doing security testing, please:

• make every effort to avoid:
  • a breach of the privacy of individuals
  • anything that will slow the system down for users
  • disruption or damage to any “live” systems
  • destruction of data
  • any illegal activity (including crimes in sections 248 to 252 of the Crimes Act 1961)
• perform research only within the Scope as set out below
• delete, and do not share, any Ministry confidential information or personal information you might have obtained
• email it_security@ot.govt.nz to report security issues with our systems as soon as possible.
• keep information about any security issues with our systems that you’ve discovered confidential between yourself and the Ministry until we have had an opportunity to fix it.

If you follow the responsible disclosure guidelines when reporting an issue to us, we commit to:

• being as straightforward and communicative as we can with you
• treating the information you share with us as confidential within the Ministry and the relevant technology provider, unless we have to disclose it because:
  • a third party discovers and releases the security issue within our system before we’ve had the opportunity to resolve it; or
  • the information on the security issue within our system is used to cause a privacy breach and the Ministry is required to handle the breach in accordance with the Privacy Act 2020; or
  • to protect the personal information and safety of tamariki, rangatahi, whānau, kaimahi or someone else.
• not taking any legal action against you related to your research provided you follow the Responsible Disclosure Guidelines
• working with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission)
• If the report results in a configuration or code change we will acknowledge it has been resolved within 90 days
• recognising your contribution, in appropriate cases, with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue. We do not offer a ‘bug bounty’ payment for finding a vulnerability.

The following Oranga Tamariki websites and systems are in scope of this policy:

• Oranga Tamariki (including careers website)
• Practice Centre
• Practice Centre (Archive)
• Parenting Resource
• Tākai/SKIP (Strategies with Kids, Information for Parents)
• Strengthening Families
• High and Complex Needs
• Crown response to the Abuse in Care Inquiry
• Children’s Day
• Hear me see me
• Just Sayin'
• Compliments, Complaints and Suggestions
• Family Start (FSNet)

The case management systems that we own and maintain are also in scope.

• Services that are the responsibility and products of third-party providers that the Ministry uses.
• Any services provided by other government departments or agency providers.

For issues that affect other government departments or agency providers, we advise you contact CERT NZ who offer an anonymous reporting service for system security issues.

In the interest of the safety of our users, employees, the internet at large, and you, the following test types are excluded from scope:

• Findings from physical testing such as office access (e.g. open doors, tailgating (the passage of an unauthorised user behind an authorised user), compromising access cards)
• Findings derived primarily from social engineering (e.g. phishing, whaling)
• Findings from applications or systems not listed in the ‘In Scope’ section
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) weaknesses
• Any form of unauthorised Penetration Testing of our services
• Obtaining personal information or potentially threatening the safety of tamariki, rangatahi, whānau or kaimahi
• Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to the Ministry. This includes any information that may be relevant to you.

If you believe you’ve found a security issue in one of our systems please send it to us by emailing it to it_security@ot.govt.nz. Please write the report clearly and in English, and include the following details:

• Type of security issue
• How you found the security issue
• Whether the security issue has been published or shared with others
• Affected configurations
• Exposure or possible exposure of any personal information
• Description of the location and potential impact of the security issue
• A detailed description of the steps required to reproduce the issue or risk (Proof of concept scripts, screenshots, and compressed screen captures are all helpful to us)
• Your name/handle for recognition in our Hall of Fame.

This information disclosure policy was written in combination with the NZITF Coordinated Disclosure guidelines and the Disclose.io disclosure policy guidelines.