Legal

Responsible Disclosure & Rules of Engagement

Last updated: 1 May 2026

Contents

  1. Our position
  2. Authorisation
  3. Scope & out-of-scope
  4. Methods & restrictions
  5. Data handling
  6. Reporting
  7. Coordinated disclosure
  8. Independent research
  9. Reporting issues to us
  10. Legal safe harbour

1. Our position

MPIT PTY LTD performs offensive security work strictly within the law and only with documented authorisation. This page sets out (a) the Rules of Engagement we follow when testing on behalf of clients, (b) how we coordinate disclosure of vulnerabilities we discover, and (c) how outside researchers can responsibly report issues to us.

2. Authorisation

Before any active testing begins, we require:

  • A signed engagement letter or Statement of Work identifying the client and the legal entity that owns the in-scope assets.
  • Written confirmation that the signatory has authority to authorise testing of those assets.
  • A defined window during which testing may occur, with named technical and emergency points of contact on both sides.

If any portion of the target environment is hosted, leased, or operated by a third party (cloud provider, MSP, vendor), the client must confirm that any required notification or authorisation from that third party has been obtained.

3. Scope & out-of-scope

The SOW identifies in-scope networks, applications, accounts, and physical locations. Anything not listed is out of scope. By default the following are out of scope unless explicitly added in writing:

  • Production systems where testing could meaningfully degrade service to end users without prior coordination.
  • Third-party-hosted infrastructure not owned by the client.
  • Personal devices, accounts, and data of staff who are not knowing participants.
  • Safety-critical systems (medical, industrial control, aviation, automotive) without specialist agreement.

4. Methods & restrictions

  • We do not deploy techniques designed to permanently destroy data or backups.
  • We do not perform sustained denial-of-service attacks except where explicitly contracted.
  • Phishing and social-engineering scenarios are conducted only where authorised; collected credentials are stored securely and destroyed at engagement end.
  • Physical engagements (red team, on-site assessments) require letters of authorisation that staff can carry; all reasonable efforts are made to avoid involvement of police or third-party security without coordination.
  • Any access we obtain is the minimum needed to demonstrate impact. We do not exfiltrate more data than necessary, and we do not pivot to systems outside the agreed scope.

5. Data handling

Findings, captured artefacts, and any data accessed during testing are treated as the client’s confidential information. We store them in encrypted, access-controlled environments, retain them only for the period agreed in the SOW (typically 30–90 days post-report unless otherwise required), and securely destroy them thereafter.

6. Reporting

At the end of an engagement we deliver:

  • An executive summary suitable for non-technical stakeholders.
  • Detailed technical findings with reproduction steps, impact analysis, and prioritised remediation guidance.
  • Where relevant, a re-test of remediated findings within an agreed window.

7. Coordinated disclosure of third-party vulnerabilities

If we discover a previously unknown vulnerability in third-party software or services during the engagement, we follow a coordinated-disclosure approach:

  1. Notify the client first.
  2. Notify the affected vendor through their published channel (or via CERT/CC, AusCERT, or a national CSIRT where no vendor channel exists).
  3. Allow a reasonable remediation window — typically 90 days from notification — before any public disclosure.
  4. Coordinate timing of any public write-up or CVE assignment with the vendor and our client.

8. Independent research

Where we publish independent vulnerability research outside of a client engagement, we do so on assets we own, on assets we are authorised to test (such as bug bounty in-scope targets), or against deliberately vulnerable lab environments. We do not publish exploit code intended to enable attacks on unauthorised targets.

9. Reporting a vulnerability to us

If you believe you have found a security issue affecting MPIT’s own infrastructure (this website, our email, or other systems we operate), please tell us. We welcome reports made in good faith.

How to report:

  • Email: info@mpit.com.au with the subject line beginning SECURITY:
  • Include enough information to reproduce the issue (URLs, payloads, steps, screenshots).
  • Where possible, encrypt sensitive details; a PGP key is available on request.

We will:

  • Acknowledge receipt, normally within 3 business days.
  • Investigate, validate, and provide a response.
  • Credit you in any public advisory, if you wish.

If you make a good-faith effort to comply with this policy when testing or reporting against systems we operate, we will:

  • Not pursue legal action against you for activities that fall within the policy.
  • Work with you to understand and resolve the issue quickly.

Activities outside this policy — for example, accessing data beyond what is needed to demonstrate the issue, degrading service, modifying or deleting data, or testing against systems not operated by us — are not covered.

This policy does not authorise activities that would breach Australian law (including the Criminal Code Act 1995 (Cth)) or the law of any other jurisdiction. If in doubt, contact us before testing.

Related documents

Terms of Service Privacy Policy Cookie Policy Acceptable Use Policy Disclaimer