CyberCTRL — Australian penetration testing
Security

Responsible Disclosure

Last updated: 21 May 2026

Our commitment

Security is the core of what CyberCTRL does. We welcome reports from the security community and treat every submission seriously. If you believe you have found a vulnerability in the CyberCTRL platform, we want to hear from you - and we commit to working with you to verify and resolve it.

How to report

Email security@cyberctrl.au with:

  • A clear description of the issue and its potential impact.
  • Step-by-step instructions to reproduce it (proof-of-concept where possible).
  • The affected URL, endpoint, or component.
  • Your name or handle, if you would like to be acknowledged.

Our machine-readable policy is published at /.well-known/security.txt in line with RFC 9116.

Scope

In scope:

  • cyberctrl.au and the CyberCTRL application and API.
  • Authentication, authorisation, and session handling.
  • Data exposure, injection, and access-control issues.

Out of scope:

  • Findings from automated scanners without a demonstrated, exploitable impact.
  • Denial-of-service, volumetric, or brute-force testing.
  • Social engineering, phishing, or physical attacks against staff or facilities.
  • Third-party services we rely on (Stripe, Brevo, Cloudflare, AWS) - please report those to the relevant provider.
  • Issues requiring a rooted/jailbroken device or heavily outdated browser.

Safe harbour

We will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. To stay within safe harbour, please:

  • Only test against accounts and data you own or have explicit permission to access.
  • Avoid privacy violations, data destruction, and service disruption.
  • Do not access, modify, or exfiltrate other users' data - stop and report as soon as access is confirmed.
  • Give us a reasonable opportunity to remediate before any public disclosure.

What to expect from us

  • Acknowledgement of your report within 3 business days.
  • An initial assessment and triage severity within 10 business days.
  • Regular updates on remediation progress for valid findings.
  • Public acknowledgement of your contribution, with your permission, once resolved.

CyberCTRL does not currently operate a paid bug-bounty program, but we are grateful for and will recognise responsible disclosures.

Contact

Security reports: security@cyberctrl.au. For general or privacy enquiries see our Privacy Policy.