Vulnerability Disclosure and security.txt
In the Cabinet Office, including GDS, the Cyber Security team run a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers.
This is not a sign post for security researchers to ‘hack’ our systems; we want to advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.
GOV.UK hosts the security policy: https://www.gov.uk/help/report-vulnerability
security.txt file is a way of telling researchers how to get in contact with
us. As per the current policy, we only accept reports from services that have a
security.txt file pointing to the security policy.
We have a central deployment of the
security.txt file so that we only have to
keep one place up to date. The public alphagov/security.txt repo is where
You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:
- the origin for your site’s
- the destination of a redirect for
A note on the redirect mechanism, try implementing in the following order to ensure the best capability with all user agents:
- Server-side redirect (302 status and
Locationheader in response)
- Client-side HTML (meta
http-equiv=refreshtag in the head)
As well as
/.well-known/security.txt you may optionally configure
We do not recommend hosting the security.txt file yourself, but if you are
hosting it yourself, you should host at
/security.txt. You should use a
text/plain content type and
follow the current security.txt guidance.
security.txt file contains an acknowledgements page, which is used
for thanking researchers for valid reports. The page is a simple text file and
is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt
thanks.txt file is also maintained in the alphagov/security.txt repo.
If your vulnerability report comes to the Cyber Security team, the team will engage with the researcher and ask if they would like to be added to the page.
If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.