Close

VULNERABILITY DISCLOSURE

The security of nbn’s networks, systems and facilities is our top priority and we take every care to provide a trusted and secure network for all Australians.

As part of this commitment, nbn appreciates the importance of working with the security community.

Here, we provide guidelines for security researchers to directly submit details of suspected security vulnerabilities in nbn’s network, systems and facilities.

Guidelines

If you report a vulnerability to nbn under these guidelines, we ask that you keep your submission confidential while we work with you to investigate the situation and beyond, to maintain the confidentiality of information.

Please always exercise caution and restraint when analysing and reporting suspected vulnerabilities, and comply with these guidelines. This includes taking extreme care when handling personal information, and not knowingly engaging in any activity that causes nuisance to any other users or person including by way of attacks against third parties, social engineering, denial-of-service attacks or spam.

Accessing or attempting to access, modify, copy, exfiltrate or destroy any data is strictly prohibited under these guidelines.

These guidelines do not cover or permit any abuse, interference with or malicious acts towards any nbn® network, system or facility that has the effect of, either directly or indirectly:

  • causing performance degradation or impacting any nbn service in any way
  • impacting the availability or integrity of nbn’s networks, systems and facilities
  • compromising the confidentiality of communications carried on or contained in nbn’s networks, systems and facilities
  • otherwise causing any disruption to or interference with nbn’s networks, systems and facilities


We are unable to compensate you for finding potential or confirmed vulnerabilities.

How to report a vulnerability

To report a vulnerability, please send an email to: VulnerabilityDisclosure@nbnco.com.au

Please help us by providing as much information as you can so we can verify the suspected vulnerability, including the following:

  • your name and contact details
  • description of the suspected vulnerability
  • discovery date
  • list of the affected networks, systems or facilities
  • steps required for nbn to reproduce the suspected vulnerability
  • other relevant details to allow nbn to verify and reproduce the suspected vulnerability

What happens next?

We will (as appropriate):

  • acknowledge receipt of your report within five business days using the contact information supplied by you
  • treat your report confidentially and not share any of your information unless required to do so to comply with nbn’s legal obligations
  • keep you informed of our progress
  • work with you regarding issues of attribution and/or public disclosure

nbn is collecting your personal information to help you with your enquiry. nbn's Privacy Policy sets out how we handle personal information, how you may access, or correct your information, how to make a complaint about nbn’s handling of your personal information and how we will deal with your complaint. If you have any questions or concerns about your privacy or personal information that nbn may hold, you can contact us by calling 1800 687 626 or emailing privacyofficer@nbnco.com.au nbn uses service providers to carry out our work. Some of our service providers are located outside Australia.