7 Dec 2015, 09:00

If you find a security problem in the Officer of the Privacy Commissioner’s website, Privacy Commissioner John Edwards wants you to tell him about it.

Mr Edwards has launched his office’s Vulnerability Disclosure Policy in time for the New Zealand Internet Task Force (NZITF) conference in Wellington today.

“A vulnerability disclosure policy demonstrates the commitment we have to security. The policy publicly commits our office to responding promptly when advised of any vulnerability,” he said.

A vulnerability disclosure policy encourages people who find vulnerabilities in the Office of the Privacy Commissioner’s website to report them responsibly. The policy also gives a reassurance that the Privacy Commissioner will not seek to prosecute people who find vulnerabilities and follow the policy in reporting those.

Mr Edwards hopes publishing his office’s policy will encourage other agencies to follow the NZITF’s guidelines on responsible disclosure.

“This policy was developed because of incidents where members of the public - often information security experts - notice security weaknesses in information systems, software and websites.

“Organisations have sometimes responded in a hostile manner to reports of weaknesses in their online systems. In some cases, people who have reported security weaknesses have been harassed or referred to police for prosecution,” Mr Edwards said.

John Edwards says his office and the NZITF want to support the adoption of responsible disclosure policies.

“It takes fear out of the equation. The idea is to assure anyone who notices a problem with our website that they can tell us about it without recrimination. If people can report online security problems, everyone benefits if those vulnerabilities are fixed as quickly as possible.”

ENDS

Read a copy of the Office of the Privacy Commissioner’s vulnerability disclosure policy.