We value engagement with our community. Letting us know about security issues in our systems helps us make sure our information is secure and private.

If you have identified a security issue within our systems, we will work with you in good faith to validate and fix it.

If you act in accordance with these standards, we will not:

• initiate legal action by complaining to the police or any other responsible enforcement agency
• suspend or terminate your access to Tertiary Education Commission (TEC) services.

If you do not act in accordance with these standards, we reserve the right to commence legal action, including by complaining to the NZ Police or other appropriate enforcement agency.

Responsible disclosure standards

These standards are designed to help both you and TEC if you find a security issue with our systems.

If you are doing security testing you must:

• make every effort to avoid:
  • breaching the privacy of individuals
  • slowing down the system for users
  • disrupting production systems
  • destroying data
• perform research only within the scope set out below
• delete, and do not share, any TEC confidential information or personal information you might have obtained
• report security issues with our systems as soon as possible after you find them by emailing security.reports@tec.govt.nz
• keep information about security issues with our systems confidential between yourself and TEC until we have had a reasonable opportunity to fix them (at least 60 working days from the initial report)
• understand TEC will not pay for any of this information.

Our commitment to you

If you follow these responsible disclosure standards when reporting an issue to us, we commit to:

• being straightforward and communicative with you
• treating the information you share with us as confidential to TEC and our suppliers, unless we must disclose it because:
  • a third party discovers the security issue within our system before we’ve had the opportunity to resolve it
  • the information is used to cause a privacy breach and we are required to handle the breach in accordance with the Privacy Act 2020 or Official Information Act 1982
• not initiating legal action by complaining to the police or any other responsible enforcement agency, provided you follow the responsible disclosure standards, keep our information confidential, and cause no damage or disruption to TEC services
• working with you to understand and resolve the issue quickly (including initially confirming your report within five working days of submission)
• potentially recognising your contribution with a letter of acknowledgement if you are the first to report the issue and we make a code or configuration change based on the issue.

In scope

These standards cover:

• online services operated under the following domains: tec.govt.nz, Tahatu.govt.nz, inspiringthefuture.org.nz, and literacyandnumeracyforadults.com
• other domains and online services that are clearly identified as owned and/or operated by TEC.

Out of scope

For issues that affect other government departments or agency providers, we suggest you contact the National Cyber Security Centre, which offers an anonymous reporting service for system security issues.

Report it – National Cyber Security Centre

The following test types are out of scope of these standards:

• findings from physical testing such as office access (eg, open doors, tailgating)
• findings derived primarily from social engineering (eg, phishing, whaling)
• findings from applications or systems not listed in the “in scope” section
• UI and UX bugs and spelling mistakes
• network-level denial of service (DoS/DDoS) weaknesses
• destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to TEC. This includes any information that may be relevant to you.

How to report a security issue

If you believe you’ve found a security issue in one of our products or platforms, email us at security.reports@tec.govt.nz.

Write the report clearly and include the following details:

• the type of security issue
• how you found the security issue
• whether the security issue has been published or shared with others
• affected configurations
• exposure or potential exposure of any personal information
• the location and potential impact of the security issue
• a detailed description of the steps required to reproduce the issue or risk (proof of concept scripts, screenshots and compressed screen captures are all helpful to us).