Security

Vulnerability disclosure

We take security reports very seriously. If you believe you have found a vulnerability affecting infosec.com.au, please report it responsibly.

How to report

• Email: security@infosec.com.au
• Include: affected URL(s), steps to reproduce, proof of concept (if safe), and your assessment of impact.
• If the issue involves personal data, include only the minimum evidence required to demonstrate the problem.

Security mailbox

• Use security@infosec.com.au for vulnerability reports.
• Use contact@infosec.com.au for general enquiries.
• Include a clear subject (e.g., [VULN]) and provide reproducible steps.
• If you want to encrypt a report, see PGP instructions.
• We may acknowledge valid reports with your permission: Security acknowledgments.
• Please avoid sending confidential customer data, credentials, or large attachments unless we request them.

What you can expect

• We will acknowledge receipt of your report within a reasonable timeframe.
• We may ask clarifying questions to reproduce and validate the issue.
• We will work to remediate validated issues in line with risk and operational constraints.

Please do not

• Access, modify, or delete data that is not your own.
• Disrupt services (e.g., DDoS), spam, or social engineering of staff or users.
• Publicly disclose the issue before we have had a reasonable chance to fix it.

Note: This policy does not grant permission to perform testing that is unlawful or outside authorised activity. If you are unsure whether your testing is permitted, ask first.

Safe harbour

We consider security research conducted in good faith to be authorised under this policy when it:

• Is limited to systems and domains owned by Infosec Pty Ltd (including infosec.com.au)
• Avoids privacy violations, data exfiltration, service disruption, and persistence
• Respects rate limits and stops testing immediately if there is any risk of impact
• Is reported promptly and privately to us

If you comply with this policy, we will not initiate legal action against you for your good‑faith research, and we will not ask law enforcement to pursue you for it. This does not apply to intentional harm, extortion, social engineering, denial-of-service, or actions outside this policy.

Last updated: 9 April 2026