COVID-19 SERVICES UPDATE: Information for all alert levels, Waka Kotahi services and more

SCAM ALERTS: Report a phishing scam or learn about the latest phishing emails

ONLINE SERVICES: We currently have an issue with receiving some payments and are working to resolve this issue as quickly as possible. We apologise for any inconvenience.

EASTER WEEKEND – PLAN AHEAD: Heading away for the long weekend? Check our holiday journeys tool(external link)

SCAM ALERTS: Refund email and Vehicle licence (rego) renewal phishing emails

Responsible disclosure guidelines

Waka Kotahi NZ Transport Agency takes the security and privacy of our information seriously. If you identify a security issue with our systems, please tell us so that we can get it fixed.

These guidelines are designed to help both you and Waka Kotahi when you find a security issue with our systems. If you are doing security testing, we require that you:

  • make every effort to avoid:
    • a breach of the privacy of individuals
    • anything that will slow the system down for users
    • disruption to production systems
    • destruction of data
  • perform research only within the scope set out below
  • delete, and do not share, any Agency confidential information or personal information you might have obtained
  • email W&TCyberSecuritySOC@nzta.govt.nz to report security issues with our systems as soon as possible after you find it
  • keep information about any security issues with our systems that you’ve discovered confidential between yourself and Waka Kotahi until we have had an opportunity to fix it.

Our commitment to you

If you act in good faith and follow these Responsible Disclosure guidelines then we commit to:

  • be as straightforward and communicative as we can with you
  • treat the information you share with us as confidential within Waka Kotahi and our suppliers, unless we have to disclose it because:
    • a third party discovers the security issue within our system before we’ve had the opportunity to resolve it, or
    • the information on the security issue within our system is used to cause a privacy breach and Waka Kotahi is required to handle the breach in accordance with the Privacy Act 2020.
  • not take any legal action against you related to your research provided you follow the Responsible Disclosure guidelines, keep our information (and all personal information) confidential, and cause no damage/disruption to Waka Kotahi services
  • work with you to understand and resolve the issue quickly (including an initial confirmation of your report within seven days of submission)

Waka Kotahi reserves all of its legal rights if you do not follow the Responsible Disclosure guidelines.

Limitations

In the interest of the safety of our users, employees, the internet at large, and you, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, whaling)
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) weaknesses
  • Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to Waka Kotahi. This includes any information that may be relevant to you.

How do you report a security issue?

If you believe you’ve found a security issue in one of our products or platforms please send it to us by emailing W&TCyberSecuritySOC@nzta.govt.nz. Please write the report clearly and in English, and include the following details:

  • Type of security issue
  • How you found the security issue
  • Whether the security issue has been published or shared with others
  • Affected products and versions
  • Affected configurations
  • Exposure or possible exposure of any personal information
  • Description of the location and potential impact of the security issue

A detailed description of the steps required to reproduce the issue or risk (Proof of concept scripts, screenshots, and compressed screen captures are all helpful to us)

Please encrypt the information using our PGP key, which can be found in our security.txt file.

Once submitted, we will acknowledge that we have received your report within seven days and provide an outline response plan where applicable.

If the reported vulnerability results in remediation of one of our systems, we may choose to acknowledge the security researchers contribution to the security of our systems by listing them on our hall of fame.

This information disclosure policy was written in combination with the NZITF Coordinated Disclosure guidelines(external link) and the Disclose.io disclosure policy guidelines(external link).