How to report a vulnerability on Insolvency Service systems
Published 13 May 2022
A vulnerability is a technical issue with Insolvency Service systems which attackers or hackers could use to exploit the website and its users.
Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.
If you think you have found a technical security vulnerability on any of our services, report it using the Hacker One: submit a vulnerability report.
You will not be paid a reward for reporting a vulnerability (known as a ‘bug bounty’).
1. How to report a vulnerability
Include in your report:
- the website, IP address or URL of the page where you found the vulnerability
- a description of the type of vulnerability, for example, an ‘XSS vulnerability’
- details of the steps we need to take to reproduce the vulnerability
- screenshots or logs if you have them
Report a vulnerability on HackerOne.
2. Guidelines for reporting a vulnerability
When you are investigating and reporting the vulnerability on our services, you must not:
- break the law
- access unnecessary or excessive amounts of data - 2 to 3 records is enough to demonstrate most vulnerabilities
- modify data on our systems
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- try a denial of service - for example, overwhelming our services with a high volume of requests
- disrupt our services or systems
- tell other people about the vulnerability you have found until we have disclosed it
- social engineer, phish or physically attack our staff or infrastructure
- demand money to disclose a vulnerability
Only submit reports about exploitable vulnerabilities through HackerOne.
You should not send reports about vulnerabilities that:
- cannot be exploited
- are about something you think can be improved - for example, missing security headers
- TLS configuration weaknesses - for example, weak cipher suite support or the presence of TLS1.0 support
3. Data protection
You must follow data protection rules when reporting a vulnerability. This means you cannot share any data you might retrieve from GOV.UK when researching the vulnerability.
You must keep the data secure until you delete it. You must delete the data as soon as we do not need it any more or no later than 1 month after the vulnerability has been resolved - whichever comes first.
4. After you’ve reported the vulnerability
You’ll get updates on the progress fixing the vulnerability through HackerOne, if you have an account.
You’ll get confirmation that we have received your report within 5 working days. We’ll try to assess your report within 10 working days. We prioritise fixes by impact, severity and exploit complexity.
Once the vulnerability has been fixed, we can work with you to disclose and publish the report.