The firm
Responsible disclosure.
Corvian Partners Pty Ltd (ABN 62 687 179 415) (“Corvian”, “the firm”, “we”, “us”)
The firm values the work of the security community and welcomes the good-faith reporting of security vulnerabilities affecting the firm’s website and infrastructure. These terms govern participation in the firm’s responsible disclosure program. By submitting a report or conducting testing, you agree to these terms.
These terms are referenced by the firm’s published security.txt at
https://corvian.com.au/.well-known/security.txt
and complement the firm’s Website Terms of Use.
1. Scope
In scope:
- the firm’s public website at
corvian.com.auand its subdomains; and - security weaknesses in the firm’s publicly reachable web infrastructure that could affect the confidentiality, integrity, or availability of that website.
Out of scope:
- any system, application, or property not operated by the firm, including third-party services the site links to or relies on (for example LinkedIn, Signal, scheduling tools, and the firm’s hosting, analytics, email, and practice-management providers) – report those to the relevant provider;
- the firm’s clients, their systems, and any matter-related or confidential information;
- physical security, and the firm’s personnel, offices, and devices; and
- findings that require access to a victim’s device, a compromised account, or a defeated browser to exploit.
2. Good-faith safe harbour
The firm will not pursue or support legal action against you for security research and disclosure carried out in good faith and in accordance with these terms. To the extent the firm is able to do so, the firm authorises the access and testing described in these terms and will treat it as authorised and not a breach of the firm’s Website Terms of Use.
This safe harbour:
- applies only to conduct that stays within scope and within the rules in clause 3;
- does not extend to conduct that is reckless, that harms the firm or others, or that breaches the privacy or rights of any person; and
- cannot waive the rights of third parties, and does not authorise action against systems or data the firm does not own or control. If a third party brings action against you for conduct undertaken in good faith under these terms, the firm will, on request, make clear that your conduct was authorised by it.
If you are unsure whether a specific action is authorised, contact the firm and ask before proceeding.
3. Rules of engagement
To stay within the program, you must:
- act in good faith, and only to the extent necessary to find and demonstrate a vulnerability;
- stop immediately and report once you have identified a vulnerability or encountered any personal, confidential, or client data;
- not access, copy, modify, retain, or destroy data that is not your own, and use only test accounts or data you own or are authorised to use;
- not degrade, interrupt, or deny service – no denial-of-service, no automated high-volume scanning that disrupts the site, no resource-exhaustion testing;
- not use social engineering, phishing, or any technique targeting the firm’s personnel, clients, or service providers, and not attempt physical access;
- not exfiltrate any data, and not publicly disclose or share any vulnerability, finding, or data obtained, except as permitted under clause 6; and
- comply with all applicable laws.
4. How to report
Submit reports through the channels published in the firm’s security.txt: the
firm’s Contact page.
For sensitive reports, you may request a secure channel; for active, time-critical issues, Signal is monitored and end-to-end encrypted (see the Contact page).
A useful report includes: the affected URL or component, the vulnerability type, a clear description, the steps to reproduce, and any proof-of-concept necessary to demonstrate impact. Please do not include live personal or client data in your report; describe it instead.
5. What you can expect
- Acknowledgement within a reasonable period, consistent with the firm’s enquiry protocol.
- Assessment of validity, severity, and impact, and an indication of expected timing where practicable.
- Updates at reasonable intervals and notice when the issue is resolved.
- Recognition of your contribution where you wish to be credited and the report led to a fix.
This program does not offer monetary rewards or a bug bounty. Participation is voluntary and not for payment.
6. Coordinated disclosure
Please keep findings confidential and give the firm a reasonable opportunity to remediate before any disclosure. The firm asks that you do not disclose publicly for at least 90 days from your report, or until the firm confirms the issue is resolved, whichever is earlier, and that any later disclosure is coordinated with the firm and omits data obtained during testing. The firm will engage with reasonable disclosure timelines in good faith.
7. Privacy
Personal information in a report is handled in accordance with the firm’s Privacy Policy. If, despite clause 3, you encounter personal or confidential information, you must not retain or disclose it and should tell the firm so it can be addressed.
8. No obligation; changes
Submitting a report does not create any obligation on the firm to act, to respond on any
particular timeline, or to provide any reward, and does not create a relationship between
you and the firm beyond these terms. The firm may amend or discontinue this program at any
time by updating these terms and its security.txt; the version in force is the
one published when you participate.
9. Governing law
These terms are governed by the laws of New South Wales, Australia, and are subject to the non-exclusive jurisdiction of the courts of New South Wales.
10. Contact
Corvian Partners Pty Ltd
Contact page
Security contact: security.txt
Last updated: June 2026