Conditions of use
All users are encouraged to report vulnerabilities that may be used to launch a cyberattack and thereby adversely affect the availability, integrity or confidentiality of the systems and technological infrastructures of Québec government departments and bodies.
Your reason for filing a report
The reason for your intervention must be ethical and intended to protect or improve the systems and technological infrastructures of Québec government departments and bodies, including the information they hold.
Your undertaking
In submitting the vulnerability report form, you certify that you are acting in a constructive way to support cybersecurity, in the public interest and with no malevolent intentions—for example, you are not aiming for personal gain and are not engaged in espionage in order to acquire confidential information—because :
- you are reporting, as quickly as possible, a vulnerability discovered in a system or technological infrastructures of a Québec government department or body;
- you have not conducted tests with the goal of harming such systems and infrastructures or the information they contain and have not used the vulnerability beyond the minimum required to demonstrate its existence;
- you have taken the necessary steps to protect any information that may have come to your attention during your intervention and have not affected its integrity;
- during your intervention, you have not used, disclosed or retained any data;
- you have not contravened a Québec law and are not engaged in an illicit act such as social engineering, phishing, spamming, or denial of service;
- you have requested or will request authorization from the Centre gouvernemental de cyberdéfense before making public and detailing any vulnerability you have discovered, whether on social media or using any other means of communication;
- you are requesting no compensation for your intervention;
- you are acting in your personal capacity.
Undertaking by the government
The Québec government undertakes not to launch legal proceedings or file a complaint against you in connection with your report, provided that you comply with your undertaking. It also undertakes to pursue an open and secure dialogue with you about your vulnerability report.
Reporting a vulnerability
To report a vulnerability, you must use the form on this website. You can submit the form anonymously.
The Centre gouvernemental de cyberdéfense will examine all reports and all forms submitted.
If you include your contact information, the Centre may contact you to discuss the vulnerability reported.
Ineligible submissions
Some vulnerability reports may, at the discretion of the Centre, not be retained for processing, including those concerning:
- a vulnerability that cannot be exploited;
- a vulnerability that requires the use of an obsolete browser;
- weak encryption or a weak SSL or TLS certificate;
- a site labelled “not secure”;
- a recommendation concerning best practice, in particular with respect to:
- missing security headers,
- banner grabbing;
- anomalies in the user interface;
- improvements to the user experience;
- spelling mistakes.