ADITS Vulnerability & Responsible Disclosure Policy

We at ADITS provide secure and reliable IT services to our customers. We understand that no matter how much effort we put into system security, there can still be vulnerabilities present. That’s why we appreciate the work of tech-savvy individuals who help us stay on top of things by finding and reporting any weak spots in our systems.

This policy outlines how you can tell us about potential security vulnerabilities and what we’ll do when we receive your report. We’ve crafted it to be consistent with both the Australian Cyber Security Centre (ACSC) guidelines and the Australian Privacy Act 1988.

Telling Us About Potential Security Issues

If you’ve discovered a potential security vulnerability in our services, we’d love to hear from you. Here’s how you can help:

  • Contact us: Send us an email at security@adits.com.au with all the details. If you can, please tell us how we can reproduce the issue and what the potential impacts could be.
  • Keep it quiet: We’d appreciate it if you didn’t talk about the issue publicly until we’ve had a chance to investigate it. We’ll need a little time to understand and address the issue.
  • Be gentle: Please don’t try to exploit the vulnerability or probe our systems any more than is necessary to confirm that there’s an issue.
  • Protect privacy: If at any point during your research you encounter any Personal Identifiable Information (PII), you must immediately stop your activities and notify us. Handling PII carries significant legal responsibilities, and we take the protection of our customers’ data very seriously.

If you act in good faith and comply with this policy during your security research, we will work with you to understand and resolve the issue quickly, and ADITS will not pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make known your compliance with this policy.

What We’ll Do

When we get your report, here’s our promise to you:

  • We’ll confirm: We’ll send you an acknowledgement email within five (5) business days, so you know we’re on it.
  • We’ll investigate: We’ll take your report seriously and work to confirm the issue and fix it.
  • We won’t take legal action: If your report and your actions align with this policy, we won’t pursue any legal action against you.
  • We’ll keep you updated: We’ll keep in touch about what we’re doing to fix the problem.
  • Public Acknowledgement: Once we have taken care of the vulnerability, we could discuss making a joint public statement. But remember, talking about it publicly without our express consent is against this policy.

What’s Not Allowed

While we’re grateful for your help, some things just aren’t cool: 

  • Don’t perform network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data 
  • Don’t try to physically access our offices, our customer offices, or data centres.
  • Don’t try to manipulate (social engineer) our staff, contractors, or customers.
  • Always stay within the law.

Who’s Covered

This policy only applies to:

If a third party owns a service, please report any issues to them directly.

The Legal Bit

Just a heads-up, this policy doesn’t give you permission to start trying to find vulnerabilities in our systems. Any such actions without our explicit, written consent could land you in hot water.

ADITS can’t guarantee the legality or appropriateness of your actions, so you’re responsible for any consequences. We may change this policy at any time without telling you.

We truly appreciate your help in keeping ADITS and our customers safe.