Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

About OPC

Print | Email this page

Vulnerability Disclosure Policy

If you find a security issue with our online systems, please tell us so that we can get it fixed. Our goal is to protect people’s privacy. That means getting vulnerabilities fixed as soon as possible. It also means encouraging people to tell us about vulnerabilities. So we want to work with anyone who tells us about vulnerabilities in our system.

As far as practicable we use components of the New Zealand Government Marketplace web platform. If the vulnerability is in the Marketplace then we will need to pass the information on to the Department of Internal Affairs. But we will not pass on your contact details without your permission.

How to tell us

Read Information for Whistleblowers, which also tells you how to alert a vulnerability.

What to tell us

Please tell us what you can of the following information without doing any further work on the vulnerability.

  • Type of vulnerability
  • Whether the vulnerability has been published or shared with others
  • Affected products and versions
  • Affected configurations
  • Step-by-step instructions / proof of concept codes to replicate the issue
  • Was personal information exposed?
  • What has happened with any personal information exposed

What we will do

We acknowledge receipt as soon as possible and within 7 working days we will give you an update on the progress of our investigation.

We will look at the reported vulnerability and work with the appropriate service provider to validate the reported vulnerability. We will notify you of what that investigation found and what we decided to do.

We aim to address all vulnerabilities as quickly as possible but are reliant upon contracted suppliers.

If appropriate we will also handle this as a privacy breach and tell people whose personal information may have been disclosed. You can read about how data-related privacy breaches are handled on our website https://privacy.org.nz/responsibilities/privacybreaches We will work with you if you want to publicly disclose finding the vulnerability.

We will work with you if you want to publicly disclose finding the vulnerability.

What you should not do

Some types of behaviour are not reasonable research approaches. Please do not try actions that can cause harm.

  • “Denial of Service” (DoS) attacks
  • Accessing data or information that does not belong to you. Once you see there is a problem that exposes information, please do not look for more such information – one example is enough
  • Destroying or corrupting data or information that does not belong to you
  • Sharing any personal information you obtained.

Protecting other people’s privacy

Please do not share with others any vulnerability that you find until we have had the opportunity to fix the vulnerability. We don’t want others trying to exploit the vulnerability.

Please do not share any personal information obtained from the Office, because that could cause harm to others. Posting personal information could constitute a breach of the Privacy Act which we might then have to investigate.

Our commitment

If you act in good faith and follow this policy, then we make the following commitments to you:

  • The information that you share with us as part of this process will be kept confidential within OPC and our directly contracted suppliers
  • Your contact details will not be shared with third parties, eg. DIA for Common Web Platform vulnerabilities, without your permission
  • We will not initiate legal action against people attempting to find vulnerabilities within our systems who adhere to this policy
  • If you report a vulnerability that materially affects our services or infrastructure, we will publicly acknowledge your help.

Contact details

If you have any queries, please contact us.

Download a copy of this policy (opens to PDF, 133KB).

Back to top