Responsible disclosure guidelines for the Govt.nz app

We take the security and privacy of your information seriously. If you identify a security issue with the Govt.nz app, tell us so we can get it fixed.

Responsible disclosure of security issues

If you believe you’ve found a security vulnerability in the Govt.nz app, email us at governmentapp@dia.govt.nz.

We’re committed to protecting people’s privacy and keeping their information safe. This means fixing vulnerabilities as quickly as possible and encouraging responsible reporting.

We appreciate anyone who takes the time to let us know about potential issues so we can address them promptly.

If the issue relates to another government agency or system, report it directly to the National Cyber Security Centre (NCSC).

Report it — NCSC

What to tell us if you find a security issue

Share what you know right away — do not investigate further.

Include:

  • A clear description of the security issue, for example, the:
    • type of vulnerability
    • affected products and versions
    • affected configurations.
  • Where and how you found it, include, if possible:
    • screenshots
    • the steps you took to find the vulnerability
    • proof of concept codes — the script or program that shows the issue can happen.
  • Whether the issue has been shared or published.
  • Whether any personal information has been exposed or could be exposed.
  • What’s happened with any personal information exposed.
  • Your name and contact details.

We’ll acknowledge your report and work with you to validate and resolve the issue. We appreciate your time and effort in helping us improve our security.

Our commitment to you

If you follow the guidelines on this page, we’ll:

  • communicate openly and clearly with you
  • treat your report as confidential within the Department of Internal Affairs (DIA) and our suppliers, unless:
    • a third party discovers the issue before we resolve it, or
    • the issue causes a privacy breach requiring disclosure under the Privacy Act
  • not take legal action against you if you follow these guidelines and cause no harm
  • respond to your report within 7 days
  • recognise your contribution with a letter of acknowledgement — if you’re the first to report the issue and it results in a code or configuration change.

What you should do

Delete and do not share any confidential or personal information you may have accessed.

Keep all information about the issue confidential between you and DIA until we’ve resolved it.

What you should not do

Some types of behaviour are not reasonable research approaches. Do not try actions that can cause harm, for example:

  • Denial of Service (DoS) attacks
  • slowing down systems for users
  • disrupting production systems
  • accessing data or information that does not belong to you. Once you see there’s a problem that exposes information, do not look for more information — 1 example is enough.
  • destroying or corrupting data or information that does not belong to you
  • sharing any personal information you obtained.

What denial of service (DoS) is — National Cyber Security Centre

Reference guidelines

These guidelines are based on the New Zealand Internet Task Force (NZITF) Coordinated Disclosure Guidelines.

NZITF Co-ordinated Disclosure — NZITF

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated