Vulnerability Disclosure and security.txt
The Cabinet Office Cyber Security team runs a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers. This is not a sign post for security researchers to ‘hack’ our systems; we advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.
The public security policy is here: https://www.gov.uk/help/report-vulnerability
GDS services are within scope of this programme and should participate by:
- publishing a
- having a plan for how you would respond to a vulnerability notification (triage, escalation, etc.).
security.txt file is a way of telling researchers how to get in contact with
us. As per the current policy, we only accept reports from services that have a
security.txt file pointing to the security policy.
We have a central deployment of the
security.txt file so that we only have to
keep one place up to date. The public alphagov/security.txt repo is where
You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:
- the origin for your site’s
- the destination of a redirect for
A note on the redirect mechanism, try implementing in the following order to ensure the best capability with all user agents:
- Server-side redirect (302 status and
Locationheader in response)
- Client-side HTML (meta
http-equiv=refreshtag in the head)
As well as
/.well-known/security.txt you may optionally configure
We do not recommend hosting the security.txt file yourself, but if you are
hosting it yourself, you should host at
/security.txt. You should use a
text/plain content type and
follow the current security.txt guidance.
security.txt file contains an acknowledgements page, which is used
for thanking researchers for valid reports. The page is a simple text file and
is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt
thanks.txt file is also maintained in the alphagov/security.txt repo.
If your vulnerability report comes to the [Cyber Security team], the team will engage with the researcher and ask if they would like to be added to the page.
If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.