Vulnerability Disclosure Statement

In Scope

This disclosure policy applies to:

• Public-facing DTMI websites and web applications hosted under:
  • *.transport.wa.gov.au.
  • *.plateswa.com.
  • *.yourmove.org.au.
  • *.metronet.wa.gov.au.
  • *.westport.wa.gov.au.
  • go.wa.gov.au.

• Mobile applications developed and maintained by DTMI:
  • PTSS mobile app – Google Play Store, Apple App Store
  • Licence Alert - Google Play Store, Apple App Store

• Online services and portals used by WA citizens and businesses to interact with DTMI.

Out of Scope

• Third-party services or platforms not operated by DTMI.
• Subdomains or systems managed by other WA Government agencies.
• Activities such as denial-of-service (DoS/DDoS), phishing, physical access attempts, or uploading malware.
• Learn&log service

In general, low severity issues without a direct security impact (weak SSL cipher suites, missing HTTP security headers, SPF/DKIM/DMARC misconfiguration, etc) will not be considered in scope.

If you're unsure whether a system is in scope, please contact us before proceeding with any testing.

What to Include in Your Report

Please provide as much detail as possible, including:

• A clear explanation of the potential vulnerability.
• A list of affected products, services, or systems.
• Steps to reproduce the issue.
• Proof-of-concept code or screenshots (if applicable).
• Your contact information.

What Happens Next

We will:

• Acknowledge your report within 5 business days.
• Keep you informed of progress and remediation steps.
• Work with you to agree on a public disclosure timeline.
• Credit you for the discovery, unless you prefer to remain anonymous.

What We Don’t Do

• We do not offer compensation for vulnerability reports.
• We will not share your personal details without your consent.

Confidentiality

We ask that you:

• Do not publicly disclose the vulnerability until we provide written consent.
• Maintain confidentiality of any sensitive information shared during the process.