Responsible Disclosure Policy
Tillered Holdings Limited
Effective Date: 30 January 2026
1. Purpose and Scope
1.1 Purpose
Tillered Holdings Limited (“Tillered”, “the Company”) is committed to ensuring the security, confidentiality, integrity, and availability of our systems, services, and customer data. We recognise that collaboration with the security research community, responsible disclosure of vulnerabilities, and transparent communication are essential components of a mature cyber security risk management framework.
This Responsible Disclosure Policy establishes clear guidelines for external parties, including security researchers, customers, partners, contractors, and the public, to report security vulnerabilities they discover in Tillered’s digital assets in a lawful, coordinated, and confidential manner.
1.2 Scope
This policy applies to:
- Tillered Holdings Limited corporate websites, web applications, and customer portals
- Cloud-hosted infrastructure and services operated by or on behalf of Tillered
- Publicly accessible APIs, mobile applications, and software products
- Internet-facing systems, networks, and digital infrastructure under Tillered’s operational control
This policy does not apply to:
- Physical security testing of Tillered facilities or premises
- Social engineering, phishing, or deceptive techniques targeting Tillered staff
- Third-party systems, services, or platforms not under Tillered’s direct control
- Vulnerabilities in client-owned systems or infrastructure (unless specifically contracted)
- Testing or attacks that violate Australian, New Zealand, or other applicable laws
For Defence Industry Security Programme (DISP) classified systems, Protected systems, or systems subject to export control obligations (ITAR, DSPF), disclosure and testing are governed by separate classified handling and incident response procedures. Suspected vulnerabilities in these environments must be reported immediately to [email protected] with the subject line “PROTECTED: DISP Security Issue.”
2. Governance and Responsibilities
2.1 Roles and Accountability
| Role | Responsibility |
|---|---|
| Chief Security Officer (CSO) | Policy owner; approves safe harbour determinations, remediation timelines, and public disclosure decisions |
| Information Security Officer (ISO) | Manages vulnerability intake, triage, validation, and coordination with reporters; maintains disclosure log |
| Engineering & IT Operations | Implements fixes, deploys patches, and validates remediation; provides technical impact assessments |
| Legal & Compliance | Reviews safe harbour requests, ensures compliance with ISM, DISP, Privacy Act, and contractual obligations |
| External Reporters | Report vulnerabilities privately and in good faith; adhere to responsible testing guidelines; maintain confidentiality |
3. Responsible Disclosure Process
3.1 How to Report a Vulnerability
If you believe you have identified a security vulnerability within Tillered’s systems or services, please report it privately to our security team using the following channels:
Primary Contact:
- Email: [email protected]
- Subject: “Responsible Disclosure – [Brief Description]”
Alternative Contact:
For urgent or time-sensitive issues, contact the Information Security Officer directly at [email protected].
3.2 Information to Include in Your Report
To help us understand, validate, and remediate the issue efficiently, please provide as much detail as possible:
- Vulnerability description: A clear summary of the issue, including the type of vulnerability (e.g., SQL injection, XSS, authentication bypass, cryptographic weakness)
- Affected system or service: URL, IP address, application name, API endpoint, or other identifying information
- Steps to reproduce: Detailed, step-by-step instructions to replicate the vulnerability
- Proof of concept: Code snippets, screenshots, HTTP requests/responses, or screen recordings (where safe and lawful to provide)
- Impact assessment: Your assessment of potential business or security impact (e.g., data exposure, privilege escalation, denial of service)
- Your contact details: Name (or alias), email address, and preferred method of communication
- Disclosure intentions: Whether you plan to publish details, present findings at a conference, or request public credit
3.3 What You Can Expect from Tillered
When you report a vulnerability to us in good faith and in accordance with this policy, you can expect the following:
| Stage | Timeline | Action |
|---|---|---|
| Acknowledgement | Within 3 business days | Confirmation of receipt and assignment of tracking ID |
| Triage & Validation | Within 7 business days | Assessment of severity, scope, and impact; validation of the issue |
| Remediation Plan | Within 14 business days | Estimated timeline for fix, compensating controls, or risk acceptance decision |
| Fix Deployment | Between 30 & 90 days (risk-dependent) | Implementation, testing, and deployment of patch or mitigation |
| Public Disclosure | After fix + 14–30 days | Coordinated advisory publication (optional); credit to reporter if requested |
We commit to:
- Respond promptly and professionally to all good-faith reports
- Maintain open, transparent communication throughout the triage, remediation, and disclosure process
- Keep you informed of progress, challenges, and any delays
- Work collaboratively to agree on appropriate disclosure timelines
- Provide credit or acknowledgement in public advisories if you wish (or respect your request for anonymity)
- Not pursue legal action against researchers who act in good faith and within the guidelines of this policy
4. Safe Harbour and Authorised Testing
4.1 Safe Harbour Provisions
Tillered Holdings Limited will not initiate legal action against individuals who:
- Report vulnerabilities in good faith and in accordance with this policy
- Conduct testing within the scope defined in Section 1.2
- Make a good-faith effort to avoid privacy violations, data destruction, service disruption, or harm to Tillered, its customers, or third parties
- Do not access, modify, exfiltrate, or disclose data that does not belong to them (testing must be limited to proof of concept only)
- Comply with all applicable Australian, New Zealand, and international laws, including the Privacy Act 1988 (Cth), Crimes Act 1914 (Cth), Crimes Act 1961 (NZ), and cybercrime legislation
This safe harbour is conditional on adherence to the responsible testing guidelines in Section 4.2 below.
4.2 Responsible Testing Guidelines
When conducting vulnerability discovery or security research on Tillered systems, you must:
- Test only in-scope systems: Limit testing to publicly accessible services explicitly listed in Section 1.2
- Use your own accounts: Do not access accounts, data, or systems belonging to other users or customers
- Avoid destructive actions: Do not delete, modify, or encrypt data; do not deploy malware or backdoors
- Minimise impact: Avoid resource exhaustion, denial-of-service (DoS) attacks, or actions that could degrade service availability
- Maintain confidentiality: Do not disclose vulnerability details to any third party before Tillered has validated, remediated, and agreed to public disclosure
- Report immediately: Submit your findings within 48 hours of discovery
- Cease testing upon discovery: Once you have identified and documented a vulnerability, stop further exploitation or testing of that issue
You must not:
- Conduct physical testing or unauthorised access to Tillered premises, devices, or staff
- Use social engineering, phishing, pretexting, or deceptive techniques
- Access, view, modify, exfiltrate, or retain customer data, personal information, or Tillered proprietary information
- Disclose vulnerabilities publicly (including on social media, blogs, mailing lists, or conferences) before coordinated disclosure is agreed
- Violate privacy, data protection, or cybercrime laws in any jurisdiction
Testing on Defence or Protected systems: If you believe you have discovered a vulnerability in a DISP-controlled, classified, or export-controlled system, immediately cease testing and report the issue to [email protected] with appropriate DLM protective markings. Unauthorised testing of these systems may result in criminal or civil liability under the Crimes Act 1914 (Cth), Defence Trade Controls Act 2012 (Cth), and export control regulations.
5. Out-of-Scope Activities
The following activities are explicitly prohibited and are not covered by safe harbour provisions:
- Automated vulnerability scanning or brute-force attacks that generate excessive load or service disruption
- Social engineering, phishing, vishing, or pretexting of Tillered staff, contractors, or customers
- Physical attacks, facility intrusion, or tampering with hardware
- Accessing, modifying, or exfiltrating data beyond what is strictly necessary to demonstrate a vulnerability
- Exploitation of vulnerabilities for personal gain, competitive advantage, or malicious purposes
- Disclosure of vulnerability details to third parties before Tillered has acknowledged, validated, and remediated the issue
- Testing of third-party systems, services, or infrastructure not owned or controlled by Tillered
- Any activity that violates Australian, New Zealand, or international law
Individuals engaging in prohibited activities may be subject to legal action, referral to law enforcement, and exclusion from future responsible disclosure participation.
6. Coordinated Public Disclosure
6.1 Disclosure Principles
Tillered Holdings Limited supports transparent, coordinated disclosure of security vulnerabilities after appropriate remediation has been implemented. We believe that public disclosure:
- Improves industry-wide security awareness and best practices
- Demonstrates accountability and maturity in cyber risk management
- Provides recognition to the security research community
- Supports our obligations under ISO 27001:2022, Essential Eight Maturity Level 2, and Defence Industry Security Programme standards
6.2 Disclosure Timelines
- Standard timeline: Tillered will work with reporters to agree on a public disclosure date, typically 90 days from initial report or 30 days after a fix is deployed (whichever is later)
- Extended timeline: For complex, high-impact vulnerabilities requiring coordination with third-party vendors, cloud providers, or Defence customers, disclosure may be delayed by mutual agreement
- Early disclosure: If a vulnerability is being actively exploited in the wild, or if details have been publicly leaked, Tillered may accelerate disclosure to protect customers and stakeholders
6.3 Public Advisories and Credit
When appropriate, Tillered will publish security advisories on our website (/security) detailing:
- A description of the vulnerability and affected systems
- The severity and potential impact
- Remediation steps taken by Tillered
- Recommended actions for customers (if applicable)
- Credit to the reporter (if permission is granted)
If you wish to receive public credit for your discovery, please indicate this in your initial report. We respect researchers who prefer to remain anonymous.
7. Exclusions and Limitations
7.1 No Bug Bounty Programme
Tillered Holdings Limited does not currently operate a bug bounty or financial reward programme. This policy provides safe harbour and public recognition but does not include monetary compensation for vulnerability reports.
7.2 Known Issues and Accepted Risks
Tillered will not remediate or provide credit for the following:
- Issues already known to Tillered and documented in our risk register or remediation backlog
- Low-impact issues such as missing security headers, SSL/TLS configuration recommendations, or informational findings that do not lead to exploitation
- Issues requiring significant social engineering or physical access
- Vulnerabilities in third-party dependencies that have been publicly disclosed and for which patches are pending vendor release
- Theoretical vulnerabilities without proof of exploitability
7.3 Defence and Export-Controlled Systems
Vulnerabilities identified in systems subject to DISP, ISM PROTECTED or above, ITAR, or Defence Strategic Goods List controls are governed by separate classified handling procedures and must be reported immediately to [email protected] with appropriate DLM protective markings. Public disclosure of these vulnerabilities is prohibited and may result in criminal liability.
8. Policy Review and Maintenance
8.1 Review Schedule
This policy will be reviewed annually or following:
- Significant changes to Tillered’s digital infrastructure or service offerings
- Material security incidents or vulnerability disclosures that expose gaps in the process
- Changes to regulatory requirements, including updates to the Information Security Manual (ISM), Essential Eight guidance, or DISP standards
- Feedback from the security research community or external stakeholders
8.2 Policy Amendments
Policy amendments must be approved by the Chief Security Officer and reviewed by Legal and Compliance. Substantive changes will be communicated via the Tillered website and to individuals who have previously participated in the responsible disclosure programme.
9. Contact Information
Primary Security Contact:
- Email: [email protected]
- Web: /security
Information Security Officer:
- Email: [email protected]
For Defence/DISP-Related Disclosures:
- Email: [email protected]
- Subject: “PROTECTED: DISP Security Issue”