Tell us whether you accept cookies

We use necessary cookies to make our website work. We also use cookies to collect information about how you use HSE.gov.uk so we can improve our services.

Beta This is a new way of showing guidance - your feedback will help us improve it.

Report a security vulnerability

The HSE takes the security of our web site seriously. If you believe you have found a vulnerability in the HSE web site, you can report it.

Vulnerability disclosure policy

We recommend reading this disclosure policy fully before you report any vulnerabilities, and act in compliance with it.

Please note that this policy does not provide any form of indemnity for any actions if they are either in breach of the law or of this policy. It does not provide an indemnity from the HSE or any third party.

Scope

This disclosure policy only applies to vulnerabilities in the HSE products and services under the following conditions:

Reporting

If you have discovered something you believe to be an ‘in-scope’ security vulnerability, first you should check the above details for more information about scope, then submit a report on this page.

In your submission, include details of:

Your report should provide a benign, non-destructive, proof of exploitation. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also keep you informed about our progress via HackerOne throughout the process if you have registered for an account.

Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status of the process but should avoid doing so more than once every 14 days.

When the reported vulnerability is resolved, or remediation work is scheduled, the Vulnerability Disclosure Team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.

Guidance

You must NOT:

We ask you to securely delete any and all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the HSE to be in breach of any of its legal obligations, including but not limited to:

HSE will not seek prosecution of any security researcher who reports any security vulnerability on a HSE service or system, where the researcher has acted in good faith and in accordance with this disclosure policy.

Updated: 2020-03-12