• Skip to main content

Language selection

Français
Français
Coaching and advice Product suite Guides
Careers Blog

Security Notice

Filter by typeexternal link
results

This is the security notice for all Canadian Digital Service (CDS) repositories. If you're here because you found a vulnerability on a domain not on the list below, please contact the Canadian Centre for Cyber Security.

The notice explains how vulnerabilities should be reported to CDS. At CDS there is a cyber security team, as well as security-conscious people within the organization, that assess and triage all reported vulnerabilities.

The following domains are in-scope of this notice:

  • *.digital.canada.ca
  • *.numerique.canada.ca
  • *.notification.canada.ca
  • *.cdssandbox.xyz
  • articles.alpha.canada.ca
  • forms-formulaires.alpha.canada.ca
  • list-manager.alpha.canada.ca
  • resources.alpha.canada.ca
  • scan-files.alpha.canada.ca
  • scan-websites.alpha.canada.ca

When you are investigating and reporting the vulnerability you must not:

  • Break the law.
  • Access unnecessary or excessive amounts of data.
  • Modify data.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Try a denial of service - for example overwhelming a service on canada.ca with a high volume of requests.
  • Disrupt Government of Canada's services or systems.
  • Tell other people about the vulnerability you have found until we have disclosed it.
  • Social engineer, phish or physically attack our staff or infrastructure.
  • Demand money to disclose a vulnerability.

Code of Conduct

Please view our contributors code of conduct for more information on how to contribute in an open and welcoming way.

Bug bounty

Unfortunately, CDS doesn't offer a paid bug bounty program.

How to report a vulnerability

CDS is an advocate of responsible vulnerability disclosure. If you've found a vulnerability, we would like to know so we can fix it.

In your report:

  • You can remain anonymous.
  • Only submit reports about an exploitable vulnerability. Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”. For example, missing security headers, or a high volume of low-quality reports (for example, from an automated scanner).
  • Do not communicate any vulnerabilities or associated details other than by means described in this notice.
  • Do not expect or demand financial compensation for your research and testing to disclose vulnerabilities.

Report a vulnerability

You can reach out via email at security+securite@cds-snc.ca if you are not sure if the vulnerability is genuine and exploitable, or you have found:

  • A non-exploitable vulnerability.
  • Something you think could be improved - for example, missing security headers.
  • TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support.

After you've reported the vulnerability

  • We will prioritize fixing the vulnerability by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.
  • We will treat your report in accordance with the Access to Information Act and the Privacy Act.
  • Accessibility
  • Past projects
  • Meet the team
  • Our values
  • Contact us
  • Newsletter
  • How CDS started
  • Roadmap to 2025
  • Terms and Conditions
  • Privacy
  • Security Notice
  • Visit Canada.ca