Our Approach Services Free AI Assessment Penetration Testing Compliance Contact Talk to an Expert
← Back to home
Legal — Security

Responsible Disclosure Policy

🇦🇺 All data is processed and stored exclusively within Australia. QTech Cyber complies with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Security of Critical Infrastructure Act 2018. No personal or client data is transferred offshore.

1. Our Commitment

QTech Cyber Pty Ltd is committed to the security of our own systems and to supporting the broader Australian and global security research community. We recognise that independent security researchers play an important role in identifying vulnerabilities and improving cybersecurity outcomes. This Responsible Disclosure Policy sets out how we expect vulnerability disclosures to be made, how we will handle them, and the protections available to good-faith researchers.

This policy applies to vulnerabilities discovered in systems directly operated or maintained by QTech Cyber. It does not extend to client systems unless QTech Cyber has been contractually engaged to manage security on the client's behalf.

🇦🇺 Vulnerability disclosures involving Australian critical infrastructure operators or systems of national significance are handled in coordination with the Australian Cyber Security Centre (ACSC) and reported in accordance with obligations under the Security of Critical Infrastructure Act 2018 (Cth).

2. Legal Framework for Security Research in Australia

Security research conducted in accordance with this policy and in genuine good faith may be protected from prosecution under Australian law. However, researchers should be aware of the following legislation and ensure their activities remain lawful:

  • Criminal Code Act 1995 (Cth) — Division 477: Prohibits unauthorised access to, modification of, or impairment of computer data and electronic communications. Authorisation under this policy is limited to passive discovery only — do not exploit, modify, delete, or exfiltrate data.
  • Cybercrime Act 2001 (Cth): Creates offences relating to unauthorised access to or modification of restricted data. This policy does not constitute authorisation to access restricted data.
  • Privacy Act 1988 (Cth): Personal information encountered during research must not be accessed beyond what is necessary to demonstrate the vulnerability, must not be retained, and must be reported to us confidentially.
  • Telecommunications (Interception and Access) Act 1979 (Cth): Prohibits interception of communications without lawful authority.

Researchers operating outside the bounds of this policy, or who cause harm, disruption, or data loss, will not be afforded safe harbour protections and may be reported to relevant authorities.

3. Scope

This policy applies to the following in-scope assets:

  • The QTech Cyber public website and its subdomains
  • Publicly accessible QTech Cyber APIs and web services
  • QTech Cyber corporate email infrastructure (configuration issues only, no testing of email content or accounts)

The following are explicitly out of scope and must not be tested under any circumstances:

  • Client systems, networks, or applications — whether or not they are referenced on our website
  • Third-party services or infrastructure used by QTech Cyber (report these to the relevant vendor directly)
  • Any automated scanning or denial-of-service testing against any QTech Cyber asset
  • Physical security testing of QTech Cyber premises or personnel

4. Reporting a Vulnerability

If you believe you have identified a security vulnerability within scope, please report it to us confidentially and promptly:

  • Email: [email protected] (PGP key available on request for encrypted submissions)
  • Acknowledgement SLA: We will acknowledge receipt of your report within 2 business days
  • Triage SLA: We will complete initial triage and confirm scope within 5 business days
  • Resolution SLA: We aim to remediate critical and high-severity findings within 30 days, and medium/low findings within 90 days

Please include in your report: a description of the vulnerability, the potential impact, steps to reproduce, any proof-of-concept (without exploiting or accessing real data), and your contact details for follow-up.

5. Good Faith Expectations

To qualify for safe harbour protections under this policy, researchers must:

  • Act in genuine good faith to avoid harm to QTech Cyber, our clients, and the public
  • Not access, copy, modify, delete, or exfiltrate personal information or confidential data
  • Not disrupt, degrade, or deny access to QTech Cyber services or systems
  • Not conduct social engineering, phishing, or physical security attacks against QTech Cyber personnel
  • Not publicly disclose the vulnerability until QTech Cyber has had a reasonable opportunity to remediate it (typically 90 days from acknowledgement)
  • Comply with all applicable Australian laws throughout the research process

6. Safe Harbour

Researchers who comply with this policy and act in genuine good faith will not face legal action from QTech Cyber in connection with their security research. We will not refer compliant researchers to law enforcement. This safe harbour does not extend to third-party legal claims, claims arising from intentional harm or data misuse, or activities that fall outside the scope of this policy.

7. Recognition

We appreciate the contribution of the security research community. Researchers who responsibly disclose valid, in-scope vulnerabilities will be acknowledged in our public Security Hall of Fame with their consent. We do not currently operate a paid bug bounty programme, however this position is under active review.