Skip to main content

The GDS Way and its content is intended for internal use by the GDS and CO CDIO communities.

Vulnerability Disclosure and security.txt

Vulnerability Disclosure

In the Cabinet Office, including GDS, the CDIO Cyber Security team run a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers.

This is not a sign post for security researchers to ‘hack’ our systems; we want to advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.

GOV.UK hosts the security policy: https://www.gov.uk/help/report-vulnerability

security.txt

A security.txt file is a way of telling researchers how to get in contact with us. As per the current policy, we only accept reports from services that have a security.txt file pointing to the security policy.

We have a central deployment of the security.txt file so that we only have to keep one place up to date. The public alphagov/security.txt repo is where it’s maintained.

You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:

  • the origin for your site’s /.well-known/security.txt
  • the destination of a 302 redirect for /.well-known/security.txt

As well as /.well-known/security.txt you may optionally configure /security.txt.

We do not recommend hosting the security.txt file yourself, but if you are hosting it yourself, you should host at /.well-known/security.txt and optionally /security.txt. You should use a text/plain content type and follow the current security.txt guidance.

thanks.txt

The central security.txt file contains an acknowledgements page, which is used for thanking researchers for valid reports. The page is a simple text file and is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt

The thanks.txt file is also maintained in the alphagov/security.txt repo.

If your vulnerability report comes through from the CDIO Cyber Security team, the team will engage with the researcher and ask if they would like to be added to the page.

If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.

This page was last reviewed on 22 April 2021. It needs to be reviewed again on 22 October 2021 by the page owner #gds-way .
This page was set to be reviewed before 22 October 2021 by the page owner #gds-way. This might mean the content is out of date.