NZCERT - New Zealand Computer Emergency Readiness Team

What is an incident?

We define an information security incident as an event that impacts the confidentiality, integrity or availability of a computer or network device through a deliberate act of attempted or unauthorised access, modification, damage, or disclosure.

Incident Reporting

The main purpose of reporting computer and network security incidents to us is to allow us to analyse the data contained in such reports and use it to:

provide the New Zealand public with a more accurate picture of the types of incidents and incident trends affecting New Zealand systems
provide educational resources addressing attack mitigation strategies

In our Incident Reporting form below (which can be manually copied into an e-mail client), many of the answers are optional, but the more information you provide, the more credibility we give the report. Anonymous reports may be accepted, provided sufficient information is provided to allow us to verify certain aspects of it.

Please note that resource constraints may prevent us from personally responding to each incident reported, or offering the assistance you require.

We prefer to receive incident reports by email. If you wish to ensure the information you provide is not read by unauthorised people whilst in transit, please encrypt using PGP or GPG. Our public PGP key is located here. Please phone us if you wish to verify the key fingerprint.

NZCERT Incident Reporting Form

1.1 Date:
1.2 Organisation:
1.3 Your Name:
1.4 E-mail Address:
1.5 Telephone Number:
1.6 Fax Number:

2. What assistance would you like?

3. Type of Incident ?
(e.g. website defacement, denial of service, virus outbreak etc)

4. How was the incident detected ?
(e.g. by System Administrator, Log Analysis, IPS/IDS System etc)

5. Incident Description:
(please describe the incident as best you can, including dates and times, suspected attack method and purpose)

6. Systems/Hosts Affected? (duplicate for each host affected)
6.1 Hostname and IP address?
6.2 Function of Host (e.g. webserver, mailserver, etc)?
6.3 Host Operating System?
6.4 Host Patch Level?
6.5 Host Anti-virus installed (Yes/No)?

7. Apparent Source of the Attack? (duplicate for each host affected)
7.1 Hostname or IP address?
7.2 Attack start and finish times?

8. Are system logs available (Yes/No)? If Yes , please include a few (no more than 10) lines of relevant log entries in ASCII text for each system.

9. Do you consent to the release this information to law enforcement and/or the appropriate Commonwealth agencies (Yes/No)?

10. Please provide your PGP/GPG public key if available.