Accessibility Contact us
Log in

Log in or Register

Log in Register

Online Services

Manage your account

Book and check licences

Get a permit

Can’t find what you’re looking for? Find out more about our online services or view our licensing page.

Log in or Register

Register Log in

Vulnerability Disclosure Statement

If you believe you've discovered a potential security vulnerability affecting Department of Transport and Major Infrastructure (DTMI) systems, please report it to:

Email: vulnerabilitydisclosure@transport.wa.gov.au

In Scope

This disclosure policy applies to:

  • Public-facing DTMI websites and web applications hosted under:
    • *.transport.wa.gov.au.
    • *.plateswa.com.
    • *.yourmove.org.au.
    • *.metronet.wa.gov.au.
    • *.westport.wa.gov.au.
    • *.circlezero.wa.gov.au
    • go.wa.gov.au.
  • Online services and portals used by WA citizens and businesses to interact with DTMI.

Out of Scope

  • Third-party services or platforms not operated by DTMI.
  • Subdomains or systems managed by other WA Government agencies.
  • Activities such as denial-of-service (DoS/DDoS), phishing, physical access attempts, or uploading malware.
  • Learn&log service

In general, low severity issues without a direct security impact (weak SSL cipher suites, missing HTTP security headers, SPF/DKIM/DMARC misconfiguration, etc) will not be considered in scope.

If you're unsure whether a system is in scope, please contact us before proceeding with any testing.

What to Include in Your Report

Please provide as much detail as possible, including:

  • A clear explanation of the potential vulnerability.
  • A list of affected products, services, or systems.
  • Steps to reproduce the issue.
  • Proof-of-concept code or screenshots (if applicable).
  • Your contact information.

Collection Notice

We collect personal information you provide in your report (such as your name and contact details) to assess and respond to security vulnerabilities and to communicate with you about your submission. We may share this information with relevant DTMI teams, service providers or other WA Government agencies where required to investigate or remediate the issue.

We will not publish your personal details without your consent. Providing your information is voluntary, however if you do not provide sufficient details, we may be unable to fully investigate your report or contact you.

You can request access to or correction of your personal information by contacting us at vulnerabilitydisclosure@transport.wa.gov.au.

What Happens Next

We will:

  • Acknowledge your report within 5 business days.
  • Keep you informed of progress and remediation steps.
  • Work with you to agree on a public disclosure timeline.
  • Credit you for the discovery, unless you prefer to remain anonymous.

What We Don’t Do

  • We do not offer compensation for vulnerability reports.
  • We will not share your personal details without your consent.

Confidentiality

We ask that you:

  • Do not publicly disclose the vulnerability until we provide written consent.
  • Maintain confidentiality of any sensitive information shared during the process.

People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • Khajornchol Puwarang

Hi, I’m T-Bot! How can I help you?