Vulnerability Disclosure Program

The Reserve Bank of Australia encourages external security researchers to confidentially submit to the Reserve Bank their research findings concerning potential security vulnerabilities within the Bank’s systems referred to below. We appreciate the assistance of the security community and by submitting findings to us you agree with the terms and conditions on this page. We will take appropriate steps to review any vulnerability report. We do not provide compensation for reports of potential or verified vulnerabilities. If unsure on any details or whether an item is in scope, please contact cybersecurity@rba.gov.au.

Scope

We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.

This covers the following Reserve Bank domains:

• rba.gov.au
• afxc.rba.gov.au
• museum.rba.gov.au
• banknotes.rba.gov.au
• *.cfr.gov.au
• *.stateguarantee.gov.au
• *.guaranteescheme.gov.au
• *.hccoombscentre.gov.au

Out of scope

• Clickjacking.
• Self-exploitation issues (i.e. Self XSS, cookie reuse, self DoS).
• Missing security headers.
• Disclosure of known public files or directories.
• Lack of Secure or HTTP Only flags on non-sensitive cookies.
• Usage of a known vulnerable library or framework without a valid attack scenario.
• Automated vulnerability scan reports.
• Weak or insecure SSL ciphers or certificates.
• Social engineering or phishing.
• Denial of Service (DoS) or any availability attacks.
• Physical attacks.
• Application or websites controlled by a third party.
• Accessing or attempting to access accounts or data that does not belong to you.
• Attempts to modify or destroy data.
• Exfiltrating any data under any circumstances.
• Any activity that violates any law.

How to report a vulnerability

To report a vulnerability, email cybersecurity@rba.gov.au or view the steps through our security.txt page for sending an encrypted email.

Please include as much information as possible, such as:

1. Any Proof of Concept (PoC) or exploit code required to reproduce
2. Steps to reproduce
3. Explanation of the vulnerability.

Do not disclose to anyone else the vulnerability that you have reported to us until we have told you that we have investigated and/or mitigated the vulnerability. In particular, do not publish research concerning the vulnerability until we contact you. We will need time to validate your findings, investigate and, if necessary, mitigate the vulnerability.

More information about how the Bank uses personal and other information collected via the Bank's main website is in the Bank's Personal Information Collection Notice for Website Visitors and App Users.

Next Steps

We will:

• Contact you within five business days of receiving a report if we determine that the report is accurate and in-scope.
• Tell you when public disclosure can occur (if the reported vulnerability is verified).