This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within MTC Australia.
About this policy
MTC Australia is committed to protecting the systems that service our customers, and the information held within them. We encourage the security community to report any potential vulnerabilities uncovered as soon as possible.
If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible (refer to ‘How to report a vulnerability’ below).
We will not compensate you for finding potential or confirmed vulnerabilities, however, will credit you as the person who discovered the vulnerability unless you tell us not to.
Security research within the scope of this policy
We encourage you to conduct responsible security research on those of our products and services to which you have authorised access.
Security research is out of the scope of this policy
This policy strictly prohibits and does not cover:
- Clickjacking
- Social Engineering or phishing
- Weak or insecure SSL ciphers or certificates
- Denial of Service (DOS)
- Physical attacks against MTC Australia, its employees or property belonging to MTC Australia or its employees
- Attempts to modify or destroy data
- Actions that violate Australian law.
How to report a vulnerability
To report a vulnerability, email [email protected].
Please include enough detail so we can reproduce your steps and validate the vulnerability.
If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
What happens next
We will:
- Respond to your report within 5 business days
- Keep you informed of our progress
- Agree upon a date for public disclosure
- Credit you as the person who discovered the vulnerability unless you tell us not to.
People who have disclosed vulnerabilities to us
Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:
- Gaurang Maheta
- Kunal Mhaske