WARNING: Your device is running Android version 7 or below. From September, you may experience issues accessing our website. We recommend using the Firefox browser.

• [/what-we-can-do/index.html](What we can do for)

• [/about-msd-and-our-work/index.html](About us and our work)

• [/about-msd-and-our-work/about-msd/index.html](About MSD)

• [https://disabilitysupport.govt.nz](Disability Support Services)

• [/about-msd-and-our-work/child-wellbeing-and-poverty-reduction/index.html](Child Wellbeing and Poverty Reduction)

• [/about-msd-and-our-work/work-programmes/index.html](Work programmes)

• [/about-msd-and-our-work/newsroom/index.html](News and media)

• [/research-insights/index.html](Research and insights)

• [/about-msd-and-our-work/publications-resources/index.html](Publications and resources)

• /about-msd-and-our-work/covid-19/index.html

• [/about-msd-and-our-work/about-msd/careers/index.html](Careers at MSD)

• [/about-msd-and-our-work/contact-us/index.html](Contact us)

• [/about-msd-and-our-work/tools/index.html](About this site)

• /about-msd-and-our-work/tools/accessibility-tools.html

• [/about-msd-and-our-work/tools/copyright-statement.html](Copyright, Privacy and Disclaimer)

• [/about-msd-and-our-work/tools/subscribe.html](Subscribe to our feeds)

Responsible Disclosure guidelines

On this Page:

• [#Responsibledisclosureofsecurityissues1](Responsible disclosure of security issues)

• [#Whattotellus2](What to tell us)

• [#Ourcommitmenttoyou3](Our commitment to you)

• [#Whatyoushoulddo4](What you should do)

• [#Whatyoushouldnotdo5](What you should not do)

• #Reference6

)

Responsible disclosure of security issues

If you find a security issue with our online systems, please tell us so that we can get it fixed. Our goal is to protect people’s privacy. That means getting vulnerabilities fixed as soon as possible.

It also means encouraging people to tell us about vulnerabilities. So, we want to work with anyone who tells us about vulnerabilities in our system.

These guidelines apply to the Ministry of Social Development website or sites linked to MSD, such as:

• msd.govt.nz

• workandincome.govt.nz

• studylink.govt.nz

• supergold.govt.nz. If you find a vulnerability, please email us at mailto:[email protected] (Link 1).

For issues affecting other government agencies, please report via Report it @ https://www.ncsc.govt.nz/report/ (Link 2).

)

What to tell us

Please tell us what you can of the following information without doing any further work on the vulnerability.

• A clear description of the security issue, for example:

• type of vulnerability

• affected products and versions

• affected configurations

• Where and how you found it, include, if possible:

• screenshots if possible

• step-by-step instructions

• proof of concept codes to replicate the issue (if you have this)

• Whether the issue has been shared or published

• Whether any personal information has been exposed or could be exposed

• What has happened with any personal information exposed

• Your name and contact details. We will acknowledge your report and work with you to validate and resolve the issue. We appreciate your time and effort in helping us improve our security.

)

Our commitment to you

If you follow these guidelines, we commit to:

• communicating openly and clearly with you

• treating your report as confidential within the Ministry and our suppliers, unless:

• a third party discovers the issue before we resolve it, or

• the issue causes a privacy breach requiring disclosure under the Privacy Act 2020

• not taking legal action against you if you follow these guidelines and cause no harm

• responding to your report within seven days

• recognising your contribution with a letter of acknowledgement if you are the first to report the issue and it results in a code or configuration change. Note: The Ministry does not offer financial rewards or bug bounties.

)

What you should do

Delete and do not share any confidential or personal information you may have accessed.

Keep all information about the issue confidential between you and the Ministry until we’ve resolved it.

)

What you should not do

Some types of behaviour are not reasonable research approaches. Please do not try actions that can cause harm:

• Denial of Service (DoS) attacks

• slowing down systems for users

• disrupting production systems

• accessing data or information that does not belong to you. (Once you see there is a problem that exposes information, please do not look for more such information – one example is enough.)

• destroying or corrupting data or information that does not belong to you

• sharing any personal information you obtained.

)

Reference

These guidelines are based on the NZITF Coordinated Disclosure Guidelines and the Disclose.io framework.

Print this page