Disclosing vulnerabilities

We want to hear from our members or third parties who find any vulnerabilities in our information systems and environments. By reporting these to us, it is deemed that you have accepted our Responsible Disclosure Program terms, below.

UniSuper’s Responsible Disclosure Program terms and conditions

Reports submitted to UniSuper’s Responsible Disclosure Program will be eligible for recognition where a potential risk or vulnerability is verified by us. UniSuper does not provide any compensation, such as financial rewards, for these reports.

To be eligible for this program, you must not attempt, or take steps, to:

  • discuss, report the identification, or the nature, of the vulnerability until we have informed you of a completed investigation, and/or fixed or mitigated the vulnerability. This remains confidential between you and UniSuper
  • modify, or destroy, any UniSuper data
  • exfiltrate any UniSuper data under any circumstances
  • be involved in Denial of Service (DoS) or any availability attacks against UniSuper
  • any physical attacks.
  • engage in social engineering or phishing attacks on UniSuper members or staff.

Please note that UniSuper does not grant permission to carry out actions against our information systems and environments which would otherwise be unlawful.

If in doubt about any of the above terms and conditions, please ask us to avoid any unintentional breach of any terms and conditions.

What information to disclose

As part of your report, please include as much detail as possible, including:

  • date and timestamp of when the vulnerability was observed
  • location of the vulnerability (e.g. URL, domain, etc)
  • an explanation of the potential security vulnerability
  • a list of products and services that may be affected (where possible)
  • steps to reproduce the vulnerability
  • recommendations on how to fix this issue
  • prior conditions (e.g. logged in, not logged in, previous actions etc) where applicable
  • names of any files that were uploaded to our systems
  • the names of any test accounts you have created (where applicable)
  • your contact information.

Vulnerabilities out of scope of this Program

Please do not report to us any of the following incidents:

  • clickjacking
  • self-exploitation issues (i.e. Self XSS, cookie reuse, self DoS)
  • missing security headers
  • disclosure of known public files or directories
  • lack of secure or HTTP Only flags on non-sensitive cookies
  • usage of a known vulnerable library or framework without a valid attack scenario
  • automated vulnerability scan reports
  • weak or insecure SSL ciphers or certificates
  • social engineering or phishing
  • Denial of Service (DoS) or any availability attacks
  • application or websites controlled by a third party.
Paper aeroplane

Disclose any potential security vulnerabilities, or any queries about this Program, to the UniSuper Application Security Team: security@unisuper.com.au

What happens after we receive your report

Step 1

We will assess the report and any potential risks or vulnerabilities that it may pose to UniSuper or its members.

Step 2

If we determine the report is accurate and in-scope, we may contact you and, if we do, will endeavour to contact you within five business days of receipt of the report and, if you allow, we may continue to keep in contact with you.

Step 3

On completion of our investigation, and if the report is deemed a vulnerability, we will advise you when public disclosure can occur.

Step 4

Acknowledge you as the reporter of the vulnerability unless you prefer us not to.

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.