Security of our online systems and services

New Zealand Police takes the security and privacy of our information seriously. We are always looking to increase and improve our security. If you identify a security issue with our systems, please tell us so that we can fix it.

How you can help

We value your feedback. Letting us know if you think there is a security issue with our systems helps us to maintain the security and privacy of our information.

If you have identified a security issue within our systems, our ICT team will work with you to validate and fix it. Where we get a report about systems run by our third-party suppliers, we may need to work with you to report the vulnerability to them.

We will not take legal action against you or suspend or terminate your access to our services when you follow these guidelines when reporting the issue to us, but New Zealand Police reserves all of its legal rights if you don’t follow the Responsible Disclosure guidelines. Please only act within the scope outlined in this policy.

We do not pay ‘bug bounties’ or pay for reported security issues.

Responsible Disclosure guidelines

These guidelines are designed to help both you and us when you find a security issue with our systems. If you find a security issue in our systems, please:

  • Work only within the scope set out below.
  • Use the 'Report an ICT System Security Issue' online form or email cybersecurity@police.govt.nz to report security issues with our systems as soon as possible after you find it.
  • Keep information about any security issues with our systems that you’ve discovered private between yourself and NZ Police until we have had an opportunity to fix it.
  • Do not:
    • breach the privacy of any individuals.
    • copy, download or disclose to anyone else any information about or from Police systems.
    • modify, corrupt, or destroy any information on Police systems
    • do anything that could impact or disrupt Police systems or services
    • disclose information about any security issues you may have identified with our systems until we have had an opportunity to fix it.

Our Commitment to you

If you follow these Responsible Disclosure guidelines when reporting an issue to us, we commit to:

  • Being as clear and communicative as we can with you.
  • Treating the information you share with us as private within us and our suppliers, unless we have to disclose it because someone else discovers the same or a similar security issue in our systems and we are required to act promptly before we’ve had the opportunity to resolve the matter with you, or the security issue is used to cause a privacy breach and we are required to handle the breach.
  • Not disabling your service access or initiating legal action against you related to the security issue provided you follow the Responsible Disclosure guidelines, keep our information private and do not cause damage or disruption to our services.
  • Working with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission).
  • Quickly dealing with security issue(s) you have told us about.
  • We may recognise your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.

In Scope

The scope includes:

If you do not know if a service is within scope, please email us at cybersecurity@police.govt.nz.

Out of scope

The following test types and findings are excluded from the scope:

  • Findings from applications or systems not listed in the ‘In scope’ section.
  • Network level Denial of Service (DoS/DDoS) weaknesses.
  • Findings derived primarily from social engineering, for example, phishing, whaling.
  • Findings from physical testing such as office access, for example, open doors, tailgating.
  • User interface and user experience bugs and spelling mistakes.
  • Destruction or corruption of, or attempts to destroy or corrupt, data or information in Police systems.
  • A security issue affecting another government department or agency. Please report any issue to that government department or agency or to CERT NZ.

How do you report a security issue?

If you believe you’ve found a security issue in one of our systems or services, please report it to us by emailing cybersecurity@police.govt.nz or use the 'Report an ICT System Security Issue' online form.

Please include the following details:

  • The type of security issue.
  • How you found the security issue.
  • Whether the security issue has been published or shared with others.
  • Affected configurations.
  • Exposure or potential exposure of any personal information.
  • Description of the location and potential impact of the security issue.
  • A description of the steps required to reproduce the issue or risk. For example, proof of concept scripts, screenshots and screen captures are all helpful.
  • Optionally, your name and contact details.

How to remain anonymous

CERT NZ operate a coordinated vulnerability disclosure process where the finder of a security issue can use CERT NZ to notify affected vendors. See how to report a vulnerability.