This is the security notice for all Canadian Digital Service (CDS) repositories. If you're here because you found a vulnerability on a domain not on the list below, please contact the Canadian Centre for Cyber Security.
The notice explains how vulnerabilities should be reported to CDS. At CDS there is a cyber security team, as well as security-conscious people within the organization, that assess and triage all reported vulnerabilities.
The following domains are in-scope of this notice:
When you are investigating and reporting the vulnerability you must not:
- Break the law.
- Access unnecessary or excessive amounts of data.
- Modify data.
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Try a denial of service - for example overwhelming a service on canada.ca with a high volume of requests.
- Disrupt Government of Canada’s services or systems.
- Tell other people about the vulnerability you have found until we have disclosed it.
- Social engineer, phish or physically attack our staff or infrastructure.
- Demand money to disclose a vulnerability.
Code of Conduct
Please view our contributors code of conduct for more information on how to contribute in an open and welcoming way.
Unfortunately, CDS doesn't offer a paid bug bounty program. CDS will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly. We do have an acknowledgements page for legitimate issues found by researchers.
How to report a vulnerability
CDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.
In your report:
- You can remain anonymous.
- Only submit reports about exploitable vulnerability. Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”. For example, missing security headers, or a high volume of low-quality reports (for example, from an automated scanner).
- Do not communicate any vulnerabilities or associated details other than by means described in this notice.
- Do not expect or demand financial compensation for your research and testing to disclose vulnerabilities.
You can reach out via email at email@example.com if you are not sure if the vulnerability is genuine and exploitable, or you have found:
- A non-exploitable vulnerability.
- Something you think could be improved - for example, missing security headers.
- TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support.
After you’ve reported the vulnerability
When you choose to share your contact information with us, we commit to communicating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will prioritize fixing the vulnerability by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You’re welcome to ask the status but please no more than once every 14 days. That way, our teams can focus on the remediation.
- We will do our best to maintain an open dialogue with you to discuss issues and will work with you to determine whether and how the flaw reported will be made public.
- We will treat your report in accordance with the Access to Information Act and the Privacy Act.
- We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.