This policy is to help you and us, if you find a security issue in our systems.
Inland Revenue (IR) takes the security, confidentiality, integrity and privacy of our information seriously. We are always looking to increase and improve our security. If you think there is a security issue in our systems, please tell us so we can fix it.
How you can help
We value your feedback. Letting us know if you think there is a security issue with our systems helps us to maintain the security and privacy of our information.
We will work with you to validate and promptly fix the issue. Where we get a report about systems run by our third-party suppliers we may need to work with you to report the vulnerability to them.
Please only act within the scope outlined in this policy.
We do not pay ‘bug bounties’ or pay for reported security issues.
Acting responsibly
Make sure you follow the policy guidelines. If you find a security issue in our systems, please do not:
- breach the privacy of any individual(s)
- copy, download or disclose to anyone else any information on IR’s systems
- do anything that impacts or disrupts IR’s systems
- modify, corrupt, or destroy any information on IR’s systems
- disclose information about any security issues you may have identified with our systems until we have had an opportunity to fix it.
Our commitment to you
If you follow this Responsible Disclosure Policy (including ‘Acting responsibly’) and report a security issue to IR, we commit to:
- Being as clear and communicative as we can with you.
- Treating the information you share with us as confidential between us and our suppliers, unless:
- Someone else discovers the same or similar security issue in our systems and we are required to act promptly before we’ve had the opportunity to resolve the matter with you,
- The security issue in our systems results in a privacy breach and we are required to handle the breach in accordance with the Privacy Act 2020.
- Not initiating legal action against you using IR’s statutory powers, or by way of a complaint to the police or other enforcement agency, provided you follow this Responsible Disclosure Policy (including ‘Acting responsibly’ above), keep our information confidential, and do not cause damage or disruption to our services or customers.
- Not suspending or ending your access to our services if you are an IR customer.
- Working with you to understand and fix the security issue quickly, including an initial confirmation of your report within 7 days of you reporting it.
- Quickly dealing with vulnerabilities you have told us about.
- Considering recognition of your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.
In scope
Scope includes but is not limited to:
- Online services operated under ird.govt.nz domains.
- Other domains and online services that are clearly identified as owned and/or operated by Inland Revenue.
If you do not know if a service is within scope, please email us at [email protected]
Out of scope
The following test types and findings are excluded from the scope:
- A security issue affecting another government department or agency. Please report any issue to that government department or agency or to CERT NZ who offer an anonymous reporting service for system security issues (see link below).
- Other issues, including:
- Network level Denial of Service (DoS/DDoS) weaknesses.
- Findings derived primarily from social engineering, for example, phishing, whaling.
- Findings from physical testing such as office access, for example, open doors, tailgating.
- UI and UX bugs and spelling mistakes.
- Destruction or corruption of, or attempts to destroy or corrupt, data or information that belongs to us. This includes any information that may be relevant to you.
- Findings from applications or systems not listed in the ‘In scope’ section.
How to report a security issue
If you believe you’ve found a security issue in one of systems, please let us know by emailing: [email protected]
Include the following details:
- The type of security issue.
- How you found the security issue.
- Whether the security issue has been published or shared with others.
- Affected configurations.
- Exposure or potential exposure of any personal information.
- Description of the location and potential impact of the security issue.
- A detailed description of the steps required to reproduce the issue or risk, for example, proof of concept scripts, screenshots, and compressed screen captures are all helpful to us.
- Your name and contact details.
How to remain anonymous
CERT NZ operate a coordinated vulnerability disclosure process where the finder of a security issue can use CERT NZ to notify affected vendors.