Vulnerability Disclosure and security.txt
Vulnerability Disclosure
The Cabinet Office Cyber Security team runs a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers. This is not a sign post for security researchers to ‘hack’ our systems; we advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.
The public security policy is here: https://www.gov.uk/help/report-vulnerability
GDS services are within scope of this programme and should participate by:
- publishing a
security.txt
- having a plan for how you would respond to a vulnerability notification (triage, escalation, etc.).
security.txt
A security.txt
file is a way of telling researchers how to get in contact with
us. As per the current policy, we only accept reports from services that have a
security.txt
file pointing to the security policy.
We have a central deployment of the security.txt
file so that we only have to
keep one place up to date. The public alphagov/security.txt repo is where
it’s maintained.
You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:
- the origin for your site’s
/.well-known/security.txt
- the destination of a redirect for
/.well-known/security.txt
A note on the redirect mechanism, try implementing in the following order to ensure the best capability with all user agents:
- Server-side redirect (302 status and
Location
header in response) - Client-side HTML (meta
http-equiv=refresh
tag in the head) - Client-side JavaScript redirect (
window.location.href
) - this won’t work if JavaScript is disabled, so you should display a link as well
As well as /.well-known/security.txt
you may optionally configure
/security.txt
.
We do not recommend hosting the security.txt file yourself, but if you are
hosting it yourself, you should host at /.well-known/security.txt
and
optionally /security.txt
. You should use a text/plain
content type and
follow the current security.txt guidance.
thanks.txt
The central security.txt
file contains an acknowledgements page, which is used
for thanking researchers for valid reports. The page is a simple text file and
is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt
The thanks.txt
file is also maintained in the alphagov/security.txt repo.
If your vulnerability report comes to the [Cyber Security team], the team will engage with the researcher and ask if they would like to be added to the page.
If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.