This is the security notice for all Canadian Digital Service (CDS) repositories. If you're here because you found a vulnerability on a domain not on the list below, please contact the Canadian Centre for Cyber Security.

The notice explains how vulnerabilities should be reported to CDS. At CDS there is a cyber security team, as well as security-conscious people within the organization, that assess and triage all reported vulnerabilities.

The following domains are in-scope of this notice:

  • *.digital.canada.ca
  • *.numerique.canada.ca
  • *.notification.canada.ca
  • *.cdssandbox.xyz
  • articles.alpha.canada.ca
  • forms-formulaires.alpha.canada.ca
  • list-manager.alpha.canada.ca
  • resources.alpha.canada.ca
  • scan-files.alpha.canada.ca
  • scan-websites.alpha.canada.ca

When you are investigating and reporting the vulnerability you must not:

  • Break the law.
  • Access unnecessary or excessive amounts of data.
  • Modify data.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Try a denial of service - for example overwhelming a service on canada.ca with a high volume of requests.
  • Disrupt Government of Canada's services or systems.
  • Tell other people about the vulnerability you have found until we have disclosed it.
  • Social engineer, phish or physically attack our staff or infrastructure.
  • Demand money to disclose a vulnerability.

Code of Conduct

Please view our contributors code of conduct for more information on how to contribute in an open and welcoming way.

Bug bounty

Unfortunately, CDS doesn't offer a paid bug bounty program.

How to report a vulnerability

CDS is an advocate of responsible vulnerability disclosure. If you've found a vulnerability, we would like to know so we can fix it.

In your report:

  • You can remain anonymous.
  • Only submit reports about an exploitable vulnerability. Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”. For example, missing security headers, or a high volume of low-quality reports (for example, from an automated scanner).
  • Do not communicate any vulnerabilities or associated details other than by means described in this notice.
  • Do not expect or demand financial compensation for your research and testing to disclose vulnerabilities.

Report a vulnerability

You can reach out via email at security+securite@cds-snc.ca if you are not sure if the vulnerability is genuine and exploitable, or you have found:

  • A non-exploitable vulnerability.
  • Something you think could be improved - for example, missing security headers.
  • TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support.

After you've reported the vulnerability

  • We will prioritize fixing the vulnerability by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.
  • We will treat your report in accordance with the Access to Information Act and the Privacy Act.