As a Commonwealth organisation, we comply with our statutory obligations including in relation to Freedom of Information, parliamentary reporting, publication of information and Public Interest Disclosures.
The Freedom of Information Act 1982 gives a general right to individuals to request access to documents held by our organisation.
We also publish an Freedom of Information Disclosure Log.
We are required to publish information held by our organisation that we routinely provide to the Australian Parliament in response to requests and orders from the Senate.
We publish information on this site as part of the Information Publication Scheme, set up under the Freedom of Information Act 1982 to promote public access to information held by government agencies.
Our Public Interest Disclosure Scheme is available to ‘Public Officials’ to make public interest disclosures.
FFMA vulnerability disclosure policy
This policy gives security researchers a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within the Future Fund.
About this policy
The security of our systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities. We are keen to engage with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible.
We will not compensate you or publish your name for finding potential or confirmed vulnerabilities.
What this policy covers
This policy covers:
- any product or service wholly owned by our agency to which you have lawful access.
This policy does not cover:
- social engineering or phishing
- weak or insecure SSL ciphers and certificates
- denial of service (DoS)
- physical attacks
- attempts to modify or destroy data.
How to report a vulnerability
To report a vulnerability, email us with enough detail so we can reproduce your steps. If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.
Vulnerability disclosure contact
A point of contact for users to directly submit their research findings if they believe they have found a potential security vulnerability within the Future Fund.
What happens next
- respond to your report within 10 business days.
- keep you informed of our progress