Introduction

We take the security of our customers’ data very seriously. If you believe you’ve discovered a potential security vulnerability within the Australia Post Group, or one of our services or products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.

We appreciate the assistance and patience of security researchers and are committed to reviewing all reports that are disclosed to us. We will do our best to address each issue in a timely fashion, and request that you provide us with a reasonable timeframe to address the issue before public disclosure.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all of our legal rights.

If in doubt, please contact the Australia Post Security Team by sending an email to security@auspost.com.au.

Discovering Potential Security Vulnerabilities

We encourage you to conduct responsible security research on our products and services. We allow you to conduct vulnerability research and testing only on our services and products to which you have authorised access.

The following types of research are strictly prohibited:

  • Accessing or attempting to access accounts or data that does not belong to you
  • Any attempt to modify or destroy any data
  • Executing or attempting to execute a denial of service (DoS) attack
  • Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages
  • Conducting social engineering (including phishing) of Australia Post Group employees, contractors or customers or any other party
  • Any physical attempts against our property or data centres, including (but not limited to) distribution facilities, post offices and post boxes
  • Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
  • Testing third party websites, applications or services that integrate with our services or products
  • Any activity that violates any law

The following finding types are excluded from this Responsible Disclosure Program:

  • Descriptive error messages such as stack traces, application or server errors
  • HTTP 404 codes or pages, or other HTTP non-200 codes or pages
  • Fingerprinting or banner disclosure on common and public services
  • Disclosure of known public files or directories, such as robots.txt
  • Clickjacking and other issues only exploitable through clickjacking
  • CSRF on forms that are available to anonymous users, such as contact, login and logout forms
  • Content spoofing
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of Secure or HTTPOnly flags on non-sensitive cookies
  • Login or Forgot Password page brute force and account lockout not enforced
  • OPTIONS HTTP method enabled
  • Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
  • HTTP or DNS cache poisoning
  • Weak or insecure SSL cipher suites
  • Self-XSS

How to Report a Potential Security Vulnerability

You can responsibly disclose potential security vulne