On this page:

• Responsible disclosure of security issues
• What to tell us
• Our commitment to you
• What you should do
• What you should not do

Responsible disclosure of security issues

If you find a security issue with our online systems, please tell us so that we can get it fixed. Our goal is to protect people’s privacy. That means getting vulnerabilities fixed as soon as possible.

It also means encouraging people to tell us about vulnerabilities. So, we want to work with anyone who tells us about vulnerabilities in our system.

These guidelines apply to the Ministry of Justice (the Ministry) website or sites linked to or managed by the Ministry. These include:

• justice.govt.nz
• māorilandcourt.govt.nz
• criminalrecords.govt.nz
• districtcourts.govt.nz
• electoralreview.govt.nz
• waitangitribunal.govt.nz
• victimsinfo.govt.nz
• courtsofnz.govt.nz

If you find a vulnerability, please email us at ICTSecurityProgramme@justice.govt.nz

For issues affecting other government agencies, please report them to the National Cyber Security Centre via Report it @ NCSC(external link).

What to tell us

In your email, please answer the below questions with as much information as you can without doing any further work on the vulnerability.

• A clear description of the security issue, for example:
  
  1. type of vulnerability
  2. affected products and versions
  3. affected configurations
• Where and how you found it, including, if possible:
  1. screenshots
  2. step-by-step instructions
  3. proof of concept codes to replicate the issue (if you have this)
• Whether the issue has been shared or published
• Whether any personal information has been exposed or could be exposed
• What has happened with any personal information exposed
• Your name and contact details.

We will acknowledge your report and work with you to validate and resolve the issue. We appreciate your time and effort in helping us improve our security.

Our commitment to you

If you follow these guidelines, we commit to:

• communicate openly and clearly with you
• treat your report as confidential within the Ministry and our suppliers, unless:
  • a third party discovers the issue before we resolve it, or
  • the issue causes a privacy breach requiring disclosure under the Privacy Act 2020
• not take legal action against you (provided you follow these guidelines for reporting a vulnerability, act in good faith and cause no harm)
• respond to your report within seven working days
• recognise your contribution with a written acknowledgement if you are the first to report the issue and it results in a code or configuration change.

Note: The Ministry does not offer financial rewards or bug bounties.

What you should do

Delete and do not share any confidential or personal information you may have accessed.

Keep all information about the issue confidential between you and the Ministry until we’ve resolved it.

What you should not do

Some types of behaviour are not reasonable research approaches. Please do not try actions that can cause harm, including:

• Denial of Service (DoS) attacks
• slowing down systems for users
• disrupting production systems
• accessing data or information that does not belong to you. (Once you see there is a problem that exposes information, please do not look for more such information – one example is enough)
• destroying or corrupting data or information that does not belong to you
• sharing any personal information you obtained with any party other than the Ministry, for the purpose of notifying us of the vulnerability.