Skip to main content

The GDS Way and its content is intended for internal use by the GDS community.

Vulnerability Disclosure and security.txt

Vulnerability Disclosure

The Cabinet Office Cyber Security team runs a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers. This is not a sign post for security researchers to ‘hack’ our systems; we advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.

The public security policy is here: https://www.gov.uk/help/report-vulnerability

GDS services are within scope of this programme and should participate by:

  • publishing a security.txt
  • having a plan for how you would respond to a vulnerability notification (triage, escalation, etc.).

security.txt

A security.txt file is a way of telling researchers how to get in contact with us. As per the current policy, we only accept reports from services that have a security.txt file pointing to the security policy.

We have a central deployment of the security.txt file so that we only have to keep one place up to date. The public alphagov/security.txt repo is where it’s maintained.

You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:

  • the origin for your site’s /.well-known/security.txt
  • the destination of a redirect for /.well-known/security.txt

A note on the redirect mechanism, try implementing in the following order to ensure the best capability with all user agents:

  1. Server-side redirect (302 status and Location header in response)
  2. Client-side HTML (meta http-equiv=refresh tag in the head)
  3. Client-side JavaScript redirect (window.location.href) - this won’t work if JavaScript is disabled, so you should display a link as well

As well as /.well-known/security.txt you may optionally configure /security.txt.

We do not recommend hosting the security.txt file yourself, but if you are hosting it yourself, you should host at /.well-known/security.txt and optionally /security.txt. You should use a text/plain content type and follow the current security.txt guidance.

thanks.txt

The central security.txt file contains an acknowledgements page, which is used for thanking researchers for valid reports. The page is a simple text file and is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt

The thanks.txt file is also maintained in the alphagov/security.txt repo.

If your vulnerability report comes to the Cyber Security team, the team will engage with the researcher and ask if they would like to be added to the page.

If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.

This page was last reviewed on 21 November 2023. It needs to be reviewed again on 21 November 2024 by the page owner #gds-way .