Ministry of Health Responsible Disclosure guidelines
If you identify a security issue, please tell us so that we can get it fixed.
The Ministry of Health (The Ministry) takes the security of our systems seriously and we value input from the security community. Responsible disclosure of security vulnerabilities within the health and disability system helps us ensure the security and privacy of our information.
As such, the Ministry’s IT security team wants to work with anyone who reports a vulnerability in our systems. The Ministry will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We will not take legal action or suspend or terminate access to Ministry services for those who discover and report security vulnerabilities in accordance with the Responsible Disclosure guidelines.
The Ministry reserves its legal rights in the event of noncompliance with the Responsible Disclosure guidelines.
We ask that anyone doing security testing:
- makes every effort to avoid interference with or breach of the privacy of individuals, degradation of user experience, disruption to production systems and destruction of data
- performs research only within the scope set out below
- deletes, and does not share, any Ministry confidential information / personal information they might have obtained
- uses the identified communication channel to report vulnerability information to us reasonably soon after they find it
- keeps information about any vulnerability they’ve discovered confidential between themselves and the Ministry until we have had an opportunity to fix the vulnerability.
If you follow these Responsible Disclosure guidelines when reporting an issue to us, we commit to:
- being as straightforward and communicate as we can with you
- treating the information you share with us as confidential within the Ministry and our suppliers, unless disclosure is necessary where:
- a third party discovers the vulnerability before we have had the opportunity to resolve it
- the vulnerability information is used to cause a privacy breach and the Ministry is required to handle the breach in accordance with the Privacy Act 2020
- not pursuing any legal action related to your research (provided you follow the Responsible Disclosure guidelines, keep our information confidential and cause no damage/disruption to Ministry services)
- working with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission)
- recognising your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.
- webservices using the tracing.covid19.govt.nz domain
- the NZ COVID Tracer mobile app for iOS and Android
- webservices using the following domains: *.covid19.health.nz, identity.health.nz, and login.health.nz
Out of scope
Services hosted by third-party providers or vendors are excluded from scope. Any other governmental departments and/or agency providers and services are excluded from scope.
For issues that affect other governmental departments or agency providers, we suggest you contact CERT NZ, who offer an anonymous vulnerability reporting service.
In the interest of the safety of our users, staff, the internet at large and you, the following test types are excluded from the scope:
- findings from physical testing such as office access (eg, open doors, tailgating)
- findings derived primarily from social engineering (eg, phishing, whaling)
- findings from applications or systems not listed in the `Scope` section
- UI and UX bugs and spelling mistakes
- network-level Denial of Services (Dos/DDoS) vulnerabilities
- destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to the Ministry, including any information that may be relevant to you.
How to report a security vulnerability
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please write the report clearly and in English and include the following details:
- type of vulnerability
- how you found the vulnerability has been published or shared with others
- affected configurations
- exposure or possible exposure of any personal information
- description of the location and potential impact of the vulnerability
- a detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots and compressed screen captures are all helpful to us)
- your name/handle and a link for recognition in our Hall of Fame.