Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

If you spot a security flaw, tell CERT NZ Neil Sanson
4 August 2017

cert NZ

Computer systems always seem to have problems and vulnerabilities. Some data breaches occur because of those vulnerabilities. If you spot a vulnerability or security flaw in a website, you can first report it to the organisation. They are generally happy to hear about a problem, so they can fix it.

Some organisations even publish a vulnerability disclosure policy that tells you how to report to them. For example, our office’s policy is here and our reasons are described in this blog post.

But you may find yourself in a situation where you do not want to have direct contact with the organisation. You might have had bad experiences in the past when reporting a problem. Or you might be concerned about how reporting a problem to an organisation might affect its dealings with you.

There have been cases where security researchers have received threatening legal letters for trying to do the right thing. Rather than take responsibility for the problem, an agency might try to blame the whistleblower.

In such cases, you need a trustworthy third party to pass the report on.

CERT NZ can act as that trusted third party for you. CERT NZ is a newly-established government clearing-house for reports of computer security incidents. It also gives support and guidance on computer security and incidents.

You can find out more about how CERT NZ passes on disclosures of vulnerabilities.

Image credit: CERT NZ


, ,



No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.