Accessibility Links
Home
Main Menu
Jurisdiction
Judges
Registrars
Courts & TribunalsAdministered by the Federal Court
International Programs
Corporate Information Reports, plans and other publications
Freedom of Information
Employment
National Court Framework
Access to Court Files & Transcript
Check the progress of a caseListing dates, Orders & links to judgments
Research Requests
Registry ServicesWhat Registries can & cannot do
Interpreters
Help for people with disabilities
Technology and the Court
Powers of a Registrar
Assisted Dispute Resolution (ADR)
Subscribe to Judgments & Events by NPA; Practice News, Daily Court Lists and more
National Practice Areas (NPAs)
Court Rules, Acts & Regulations
Practice Documents
Class Actions
Consultation & Liaison User group meetings, Harmonised Rules Committees (Bankruptcy & Corporations)
Appeals
Guides Including Bankruptcy, Corporations, Migration, Administrative & Constitutional Law and Human Rights; Communicating with the Court; Expert witnesses.
Use of Communication Devices
Forms Prescribed Under: Other Forms:
Difference Between Fees & Costs
Court Fees About Court fees including exemptions, deferral & refunds
Filing Filing & lodgement
Legal Costs
Interest Rates Pre-judgment & post-judgment interest rates
Court Sitting Dates
  • 2024
    • 5 February - 20 December
Full Court & Appellate Sitting Dates
  • 2024
    • 19 February - 1 March
    • 6 - 28 May
    • 5 - 30 August
    • 4 - 26 November
  • 2025
    • 3 - 28 March
    • 28 July - 29 August
    • 3 - 28 November
Daily Court Lists
Select state
Select a state registry to view the current court list: Select a state registry to view the current court list.
click map Western Australia Northern Territory South Australia Queensland New South Wales Victoria Tasmania Australian Capital Territory Australia
Register to receive daily court lists by email soon after they are published. Subscribe
Future Listings Find future hearing times and dates. Go to Federal Law Search
Library
Annual Reports
Judges' Speeches and Papers Current and former judges, including Welcome and Farewell ceremonies
Videos & Podcasts Videos, podcasts and online streaming
GlossaryGlossary of legal terms
Judgments About the judgments collection, including FAQs
I am a Party -
Information for Litigants
Jury Service
I am a Practitioner I am a witness I have been Subpoenaed
Guides
Online Services
You are here:

Vulnerability Disclosure Program

The Courts and Tribunal are committed to ensuring the security  and integrity of our systems and data. In alignment with the Australian  Information Security Manual (ISM), we recognise the valuable role that security  researchers and general public play in identifying and reporting  vulnerabilities. This Vulnerability Disclosure Program (VDP) outlines the  permitted activities a researcher can perform, the process for reporting  potential security vulnerabilities, and the of the response Courts and  Tribunal.

​​​Purpose of the Vulnerability Disclosure Program

A vulnerability disclosure program (VDP) is a collection of  processes and procedures designed to identify, verify, resolve, and report on  vulnerabilities disclosed by people who may be internal or external to  organisations.  We appreciate the efforts  of responsible researchers and is committed to improving the security of our  systems.

This program does not authorise or endorse any researcher or  group to perform penetration testing, or hacking, against our systems.

Program Scope 

  • This VDP applies to all systems and services  that you are legally permitted to access for Reporting a Vulnerability.
Researchers are encouraged to report vulnerabilities via the  following means:
Email: VulnerabilityDisclosure@fedcourt.gov.au

When reporting a vulnerability, please include the following  information: 

  1. A description and  details of the security vulnerability, including the type of issue 
  2. List of  potentially affected services (where possible) 
  3. Detailed steps to  reproduce the vulnerability, including any relevant URLs, parameters, and  sample code. 
  4. Proof-of-concept  code (where applicable) 
  5. Your contact  information for further correspondence (optional but encouraged) and; 
  6. Whether you would  like public acknowledgement for your contribution (under the acknowledgments  section of this webpage), and the name you would like to be acknowledged under.

If you report a vulnerability, you  must keep it confidential and not make a public notification or announcement of  the vulnerability until the vulnerability has been remediated.

Post-Disclosure Process

When you report a vulnerability, we will: 

  • Respond to you within 2-5 business days 
  • Recognise  your contribution to our program if you choose public acknowledgement for your  contribution.

We will not: 

  • Financially compensate you for reporting, or 
  • Share your details with any other organisation,  without your permission.

Disallowed Activities

To ensure the integrity of the program, there are several  activities that are not permitted under this Program. The following types of  research are not permitted: 

  • Social engineering or phishing 
  • Denial of Service (DoS) or Distributed DoS  (DDoS) attacks 
  • Physical attacks 
  • Attempts to modify or destroy data 
  • Clickjacking 
  • Accessing or attempting to access accounts or  data that does not belong to you 
  • Any activity that violates any law 
  • Posting, transmitting, uploading, linking to, or  sending any malware 
  • Automated vulnerability scan reports 
  • Leverage deceptive techniques 
  • Exfiltrating any data under any circumstances 
  • Testing third-party websites, applications, or  services that integrate with services or products 
  • Disclosure of known public files or directories 
  • Lack of Secure or HTTP Only flags on  non-sensitive cookies 
  • Usage of a known vulnerable library or framework  without valid attack scenario

Do not report security vulnerabilities relating to missing  security controls or protections that are not directly exploitable. Examples include: 

  • Weak, insecure or misconfigured SSL (secure  sockets layer) or TLS (transport layer security) certificates
    •  
  • Misconfigured DNS (domain name system) records  including, but not limited to SPF (sender policy framework) and DMARC  (domain-based message authentication reporting and conformance)
    •  
  • Legal & Privacy Considerations

By participating in this VDP, you  agree to comply with all laws and refrain from any activity that could cause  harm to the Courts and Tribunal or its stakeholders. The Courts and Tribunal  reserve the right to modify this policy at any time.

Personal information submitted in  connection with a vulnerability report will be used solely for the purpose of  contacting the reporter and addressing the reported vulnerability. It will not  be shared with third parties without the reporter's explicit consent unless  required by law.

Acknowledgements

We will publish the names or  aliases of people who contribute to our security Vulnerability Disclosure  Program below with their permission (non-offensive names only).​

 

By  following this Vulnerability Disclosure Program, you help us protect our  systems and data, ensuring a secure environment for all. We appreciate your  contributions to our cybersecurity efforts.

At June 2024

Top

Share