Responsible disclosure of security issues

Reporting a security issue

Our services are identified by the MBIE logo, or by ‘mbie.govt.nz’ in the address bar of your browser. Even if you are unsure, report the security issue. Email Responsible disclosure team.

If you wish to remain anonymous, use the CERT NZ operated vulnerability disclosure process.

How to report a vulnerability(external link) — CERT NZ

What to report

We would like to know the following information about the security issue you have found:

1. A description of the security issue.
2. Where and how you found the security issue, if possible with relevant photos/screenshots.
3. Whether the security issue has been published or shared with others.
4. Whether information about a person has been exposed or could potentially be exposed.
5. Your name and contact details.

We will acknowledge your report, and work with you to validate and fix the issue. We highly value your feedback and your time to help us resolve any vulnerabilities that you identify.

Your responsibilities

If you find a security issue in one of our services, do not:

• Breach the privacy of any individual.
• Copy, download or disclose information from MBIE’s services to anyone.
• Cause disruption to MBIE’s services.
• Modify, corrupt, or destroy any information on MBIE’s services.
• Disclose information about any security issue you may have identified in our services until we have had an opportunity to fix it.

Be aware that we do not condone penetration testing of our services by members of the public.

Our commitment to you

• Your contact details will not be shared with third parties without your permission.
• We will be as clear and communicative as we can with you.
• We will work with you to understand and fix the security issue quickly.
• Whilst we do not offer a financial reward, we will recognise your contribution with a letter of acknowledgement if you request it.