WHAT'S MY RISK TOLERANCE?

TOMORROW Financial Services Responsible Disclosure Policy

TOMORROW Financial Services Pty Ltd (TFS) is committed to implementing appropriate security measures to protect its systems and data.

We encourage you to inform us about any security vulnerability you identify that affects us, subject to the rules below.

TFS acknowledges the important role that responsible security researchers play in identifying vulnerabilities so that affected organisations can address them.

The following rules apply to your disclosure of a security vulnerability to us.

Entities covered by this Policy

1. This Policy applies to TOMORROW Financial Services Pty Ltd ABN 94 618 000 196 (trading as TOMORROW Super) and its subsidiaries.

Security vulnerabilities within scope of this Policy

2. A security vulnerability that could allow an attacker to compromise the availability, integrity or confidentiality of one of TFS’ systems, products or services is within the scope of this Policy.
3. You may report to us under this Policy security issues of which you become aware.  However you are not authorised to actively look for such issues.
4. You are authorised to look for, and report to us, in accordance with this Policy any security vulnerabilities that affect any other technology systems operated by TFS or operated for TFS by a third party.
5. You are not authorised by this Policy to look for security vulnerabilities that affect TFS or any third party, except as stated above.

Exclusions from scope of this Policy

6. You are not authorised under this Policy to look for issues relating to or arising from:
   1. Physical security arrangements at any premises;
   2. Social engineering activities (for example, phishing); or
   3. Denial of service or other volume-based attacks.
7. You are not authorised under this Policy to:
   1. Do anything that may degrade the performance of any of our systems;
   2. Send electronic messages to any person without their consent;
   3. Access data relating to any person other than yourself;
   4. Amend, delete or extract any data from any system;
   5. Post any virus or malware on any system or otherwise use, handle or deploy any virus or malware;
   6. Impersonate any other person; 
   7. Interrupt any of our services;
   8. Use automated vulnerability scanners to check systems; or
   9. Breach any law.
8. The following people are excluded from the scope of this Policy:
   1. Employees and officers of TFS; and
   2. Technology or security contractors engaged by TFS, their employees and any other individuals they directly or indirectly engage for work relating to TFS.

How to report a vulnerability to us

9. You can report a security vulnerability to us by completing this form.
10. In your submission, please provide:
    1. A short description of the vulnerability;
    2. Details of the systems that are affected by the vulnerability.
    3. Details of the security impact of the vulnerability.  How could an attacker exploit it?
    4. Instructions on how we can reproduce or verify the vulnerability.
    5. Any suggestions you have about how to fix the vulnerability.
    6. Any other relevant information.
11. If you identify a security vulnerability you must not exploit it, including for any person’s gain or for the detriment of TFS or any other person.  Instead you should describe in your submission the “proof of concept” as to how the vulnerability could be exploited by an attacker.
12. We will aim to acknowledge your report promptly.  If we consider the vulnerability material enough to make changes to our systems or practices, we will aim to let you know when we have done so.
13. We encourage you to provide us with your full name and contact details.  Unless otherwise required by law or by a regulator we will keep this information confidential.

Confidentiality

14. You must not disclose a security vulnerability you report to us to any other person, except to the extent:
    1. You are required by law to do so;
    2. The vulnerability comes into the public domain other than due to your breach of this obligation; or
    3. We provide our prior written consent.

Recognition

15. If you are the first to inform us about a security vulnerability we don’t already know about, we may decide to offer you recognition.
16. Recognition may take any form we consider appropriate, for example naming you in our “Hall of Fame” on our website, providing you with a gift or providing you with a cash payment.  We may require you to enter a brief agreement with us as a condition of receiving recognition.
17. When deciding whether to offer you recognition we will consider:
    1. The potential impact of the security vulnerability on our business;
    2. The quality of your report; and
    3. Whether we consider the vulnerability material enough to make changes to our systems or practices

Queries

18. If you have any queries about this Policy or how it applies, please contact us via [email protected]. If in doubt, please ask us to avoid any unintentional breach of this Policy.

Changes to this Policy

19. We may amend this Policy from time to time.  We may also decide to revoke this Policy.
20. This version of this Policy is dated November 2021.