Policy and Standards

DataVic Access Policy

Publicly accessible APIs in the Developer.Vic portal are made available in accordance with the DataVic Access Policy

The DataVic Access Policy encourages Victorian agencies to make datasets freely available to the public, where possible. The Policy was developed to enable public access to government data to support research and education, innovation, and improvements in productivity and growth in the Victorian economy.

API Design Standards

The API Team is a key contributor to, and enthusiastic advocate of the National API Design Standard available at https://api.gov.au/standards/.

The standards promote consistency and interoperability in the development of APIs and guide users through the full API lifecycle including design, development, build and management.

We welcome contributions to the development of the Standards through the Community of Practice, and through a dedicated GitHub community at https://github.com/apigovau/api-gov-au.

Vulnerability Disclosure Policy

This policy gives consumers of this service a point of contact to directly submit their research findings if they believe they have found a potential security vulnerability within any of the applications provided by the Whole of Victorian Government API Platform.

About this policy

The security of our systems is a top priority and we take every care to keep them secure. Despite our efforts, there may still be vulnerabilities.

We are keen to engage with the security community. This policy allows security researchers to share their findings with us. If you think you have found a potential vulnerability in one of our systems, services or products, please tell us as quickly as possible.

We will not compensate you for finding potential or confirmed vulnerabilities.

What this policy covers

This policy covers:

  • any product or service provided by the Whole of Victorian Government API Platform in accordance with the Terms and Conditions.

This policy does not cover:

  • clickjacking
  • social engineering or phishing
  • weak or insecure SSL ciphers and certificates
  • denial of service (DoS)
  • physical attacks
  • attempts to modify or destroy data

How to report a vulnerability

To report a vulnerability, email This email address is being protected from spambots. You need JavaScript enabled to view it..

Include enough detail so we can reproduce your steps.

If you report a vulnerability under this policy, you must keep it confidential. Do not make your research public until we have finished investigating and fixed or mitigated the vulnerability.

What happens next

We will:

  • respond to your report within 5 business days
  • keep you informed of our progress
  • agree upon a date for public disclosure
  • credit you as the person who discovered the vulnerability unless you prefer us not to