Responsible Disclosure Standards
The Ministry of Education takes the security and privacy of our information seriously.
If you identify a security issue with our systems, please tell us so that we can fix it.
Disclosure of system security issues
We value engagement within our community. Disclosure of security issues within our systems helps us to ensure the security and privacy of our information.
If you have identified a security issue within our systems, we will work with you in good faith to validate and fix it.
If you act in accordance with these standards, we will not:
- initiate legal action by way of a complaint to the police or any other responsible enforcement agency
- suspend or terminate your access to Ministry services.
The Ministry reserves the right to commence legal action, including by way of a complaint to the New Zealand Police or other appropriate enforcement agency, if you fail to act in accordance with these standards.
Responsible disclosure standards
These standards are designed to help both you and the Ministry when you find a security issue with our systems.
If you are doing security testing, please:
- make every effort to avoid:
- a breach of the privacy of individuals
- anything that will slow the system down for users
- disruption to production systems
- a destruction of data.
- perform research only within the scope set out below
- delete, and do not share, any Ministry confidential information or personal information you might have obtained
- email firstname.lastname@example.org to report security issues with our systems as soon as possible after you find it
- keep information about any security issues with our systems that you’ve discovered confidential between yourself and the Ministry until we have had an opportunity to fix it.
Our commitment to you
If you follow these responsible disclosure standards when reporting an issue to us, we commit to:
- being as straightforward and communicative as we can with you.
- treating the information you share with us as confidential within the Ministry and our suppliers, unless we must disclose it because:
- a third party discovers the security issue within our system before we’ve had the opportunity to resolve it.
- the information on the security issue within our system is used to cause a privacy breach and the Ministry is required to handle the breach in accordance with the NZ Privacy Act 2020 or NZ Official Information Act 1982.
- not initiate legal action by way of a complaint to the police or any other responsible enforcement agency provided you follow the responsible disclosure standards, keep our information confidential, and cause no damage/disruption to Ministry services.
- work with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission).
- potentially recognise your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.
- Online services operated under education.govt.nz domains.
- Other domains and online services that are clearly identified as owned and/or operated by the Ministry of Education.
Out of scope
For issues that affect other government departments or agency providers, we suggest you contact CERT NZ(external link) who offer an anonymous reporting service for system security issues.
The following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, whaling).
- Findings from applications or systems not listed in the ‘In Scope’ section.
- UI and UX bugs and spelling mistakes.
- Network level Denial of Service (DoS/DDoS) weaknesses.
- Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to the Ministry. This includes any information that may be relevant to you.
How do you report a security issue?
If you believe you’ve found a security issue in one of our products or platforms, please send it to us by emailing email@example.com.
Please write the report clearly, and include the following details:
- The type of security issue.
- How you found the security issue.
- Whether the security issue has been published or shared with others.
- Affected configurations.
- Exposure or potential exposure of any personal information.
- Description of the location and potential impact of the security issue.
- A detailed description of the steps required to reproduce the issue or risk (Proof of concept scripts, screenshots, and compressed screen captures are all helpful to us).
- Your name/handle for recognition in our Hall of Fame.
This information disclosure policy was written in combination with the NZITF Coordinated Disclosure guidelines(external link) and the Disclose.io disclosure policy guidelines(external link).
Last reviewed: Has this been useful? Give us your feedback