The NZ Covid Tracer is built with security and data privacy in mind to ensure your data is safe.
We are grateful for security researchers and users reporting a vulnerability to us first. To ensure that your request is handled in a timely manner and we can keep users safe, please follow the below guidelines.
-
Please do not report security vulnerabilities directly on GitHub.
-
To report a vulnerability, please email vulnerability-disclosures@health.govt.nz.
-
In the email, please include the following:
- Application: "NZ COVID Tracer"
- Version: " " (Either note the specific release version or commit id of the master branch you investigated.)
- Platform: " "
- Vulnerability Title: " "
- Description: " "
- Type: " "
- CVSS v3 score: " "
- Steps to Reproduce: " "
-
We ask that you do not publish or share the vulnerability with anyone else.
-
For support or bug reports that don't impact on security, email help@covidtracer.min.health.nz.
The Ministry of Health is committed to timely review and response to disclosures. The project will inform the public about security vulnerabilities after they are resolved or a patch is available.
More details about the Ministry of Health vulnerability disclosure policy are available on the Ministry of Health website.