Vulnerability Disclosure Policy

About this policy

Essential Energy is committed to ensuring the security of our systems, however despite our best-efforts vulnerabilities may still exist.

We are keen to work with members of the security research community and encourage you to responsibly share your findings with us, in line with this policy.

We are unable to compensate you for finding confirmed or potential vulnerabilities, however, with your permission we can credit you with the finding and will publish your name or alias on this page.

What this policy covers

Our policy covers:

  • any product or service owned by Essential Energy to which you have lawful access.

Our policy does not cover:

  • clickjacking
  • social engineering
  • weak or insecure SSL ciphers and certificates
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS)
  • physical attacks against Essential Energy, its employees or property belonging to Essential Energy
  • sending, uploading, linking to, posting, or transmitting any malware
  • attempts to extract, modify, or destroy data
  • access or attempt to access accounts or data that does not belong to you
  • any actions that violate Australian law.

This policy does not authorise any individuals, groups, or companies to participate in hacking or penetration testing against Essential Energy systems.

How to report a vulnerability

If you believe you have found a security vulnerability, please email vulnerability.management@essentialenergy.com.au with enough information that we may locate or replicate the vulnerability.

We operate this policy under the responsible disclosure method and request that you do not disclose this vulnerability until we have had enough time to remediate it.

What happens next

We will:

  • acknowledge receipt of your report within 5 working days
  • keep you informed as to our progress
  • with your permission, credit you with finding the vulnerability.

People who have disclosed a vulnerability

Below are the names or aliases of people who given their consent to have their contribution to our vulnerability disclosure program published:

  • None