Bulletin Board - Document Comments

Bulletin Board - Review and Comment

Step 1 of 3: Comment on Document

There are 3 steps in the submission process. You must complete all three steps in one session, otherwise your comments will be lost.

1. Use this Protected Document icon to open a comment box.

2. Type your feedback and then click the"Save Comment" button in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments, go to step 2 by clicking on the “Save and Continue” button at the very bottom of this page.

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity or if you close your browser or go to a different tab/window and try to come back.

To ensure that your comments are received:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time.

  3. DO NOT leave your submission unfinished. If you need to take a break, submit your current set of comments now and return later to make a further submission. You will receive a copy of your comments so that you can see what you have already said.

  4. DO NOT exit from the interface until you have completed all three steps of the submission process.  Simply saving a comment in the comment box does not mean it is submitted and if you exit the system, you will not be able to retrieve it later.

When you finalise your submission in step 3 your comments will be emailed to the Document Author with a copy to you, and to policy@mq.edu.au for record keeping purposes.

Vulnerability Disclosure Policy

Section 1 - Purpose

(1) This Policy outlines the University’s Security Vulnerability disclosure program, which aims to provide a method for individuals and/or groups to notify the University of any identified or suspected security vulnerabilities within the University’s IT Resources or products.

Scope

(2) This Policy applies to any individual and/or group with lawful access to Macquarie University’s (the University’s) IT Resources or products provided by the University.

Background

(3) The University is committed to maintaining a secure technology environment and as such, believes in the responsible disclosure of potential security vulnerabilities. By establishing an official reporting channel, the University aims to remediate security vulnerabilities and therefore decrease the likelihood of malicious exploitation.

Top of Page

Section 2 - Policy

Reporting Protection

(4) To encourage responsible reporting, the University will not take legal action against an individual and/or group who reports a Security Vulnerability, so long as any actions undertaken are in accordance with the requirements of this Policy.

Unauthorised Conduct

(5) Any individual with access to the University’s resources or products must comply with Australian law, and not compromise or exploit the University’s Information, staff, infrastructure or operations. The following actions are not authorised, unless specifically authorised by the University:

  1. engaging in unlawful or unethical behaviour;
  2. disclosing Security Vulnerability information publicly;
  3. engaging in physical testing;
  4. leveraging deceptive techniques (e.g., Social Engineering);
  5. executing resource exhaustion attacks (g., Distributed Denial of Service);
  6. leveraging automated vulnerability assessment tools;
  7. introducing malicious software that could negatively impact the University;
  8. reverse engineering the University’s products or IT Resources;
  9. modifying, destroying, or exfiltrating the University’s Information;
  10. hacking or penetration testing the University’s IT Resources; and
  11. accessing or attempting to access University accounts or Information.

Vulnerability Assessment & Mitigation

(6) Upon receiving a Security Vulnerability report, the University will:

  1. analyse and evaluate the Security Vulnerability to determine its validity and potential impact to the University; and
  2. take appropriate action to mitigate the Security Vulnerability.
Top of Page

Section 3 - Procedures

How to Report

(7) A potential Security Vulnerability can be reported to cyber@mq.edu.au and should contain the following information (where possible):

  1. a detailed explanation of the potential Security Vulnerability;
  2. the name of the product(s) and/or IT Resource(s) that may be affected;
  3. the number of potential end users affected;
  4. detailed steps taken to identify and reproduce the potential Security Vulnerability;
  5. evidence (g., proof-of-concept code/scripts, screenshots, screen recordings); and
  6. the contact details of the reporter and whether they wish to be publicly acknowledged.

Outcome

(8) The University will:

  1. respond to the individual and/or group acknowledging receipt of the report within 2 weeks;
  2. request additional information regarding the Security Vulnerability (if required); and
  3. keep the individual and/or group informed of the progress if requested.

(9) The University will not:

  1. provide any financial compensation for the disclosure of a Security Vulnerability; or
  2. share an individual's and/or groups details without permission.
Top of Page

Section 4 - Guidelines

(10) Nil.

Top of Page

Section 5 - Definitions

(11) The following definitions apply for the purpose of this Policy:  

  1. Information means any information in either physical or electronic format that is generated, created, stored, purchased or received during the conduct of University operations.
  2. IT Resource means any device or software that has value to the University and consequently needs to be suitably protected, including hardware (e.g., laptops, desktops, servers, network equipment, phones, printers, storage devices), and applications (e.g., cloud/desktop/server based).
  3. Security Vulnerability means a weakness in an IT Resource that can be exploited for malicious purposes.