We advocate for responsible vulnerability disclosure. If you've found a vulnerability, we would like to know so we can fix it.

The notice explains how security vulnerabilities should be reported. We will assess and triage all reported vulnerabilities.

This is the security notice for all Canadian Digital Service (CDS) repositories

If you've found a vulnerability on a domain not on the list below, please contact the Canadian Centre for Cyber Security.

You can report a vulnerability for the following domains:

  • *.digital.canada.ca
  • *.numerique.canada.ca
  • *.notification.canada.ca
  • *.cdssandbox.xyz
  • articles.alpha.canada.ca
  • forms-formulaires.alpha.canada.ca
  • list-manager.alpha.canada.ca
  • scan-files.alpha.canada.ca

In your report:

  • You can remain anonymous.
  • Only submit reports about an exploitable vulnerability. Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”. For example, missing security headers, or a high volume of low-quality reports (for example, from an automated scanner).
  • Do not communicate any vulnerabilities or associated details other than by means described in this notice.
  • Do not expect or demand financial compensation for your research and testing to disclose vulnerabilities.
Report a vulnerability

You can email security+securite@cds-snc.ca if you are not sure if the vulnerability is genuine and exploitable, or you have found:

  • A non-exploitable vulnerability.
  • Something you think could be improved - for example, missing security headers.
  • TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support.

When you are investigating and reporting the vulnerability you must not:

  • Break the law.
  • Access unnecessary or excessive amounts of data.
  • Modify data.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Try a denial of service - for example overwhelming a service on canada.ca with a high volume of requests.
  • Disrupt Government of Canada’s services or systems.
  • Tell other people about the vulnerability you have found until we have disclosed it.
  • Social engineer, phish or physically attack our staff or infrastructure.
  • Demand money to disclose a vulnerability.

Code of Conduct

Please view our contributors code of conduct for more information on how to contribute in an open and welcoming way.

Bug bounty

CDS doesn't offer a paid bug bounty program.

After you've reported the vulnerability

  • We will prioritize fixing the vulnerability by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.
  • You’re welcome to ask the status but please no more than once every 14 days.
  • We will treat your report in accordance with the Access to Information Act and the Privacy Act.
Report a vulnerability