Guidance

Report a security issue in an HMRC online service

Find out how to report a potential security issue or vulnerability in an HMRC online service and what information to provide.

• From: HM Revenue & Customs
• Published: 18 April 2018
• Last updated: 22 July 2024 — See all updates

If you think you’ve found a security issue in an HMRC online service you should:

• report it to us as soon as possible using the National Cyber Security Centre (NCSC) Vulnerability Reporting Service on their website
• avoid doing anything to exploit it

To help us understand the nature and scope of the issue, you will be asked about:

• the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
• a proof-of-concept or exploit code
• the location of the bug or the relevant URL
• the impact of the issue, including how an attacker could exploit it

What happens next

HMRC takes the security of online systems very seriously. We’ll investigate all reports and take action where necessary.

You will only receive an update for your report if you sign up to the NCSC platform.

Published 18 April 2018
Last updated 22 July 2024 + show all updates

1. 22 July 2024

   Information about what you should do when you find a security issue in an HMRC online service has been updated.

2. 8 April 2024

   The email address for reporting security vulnerabilities has been updated and information about encrypting an email before reporting a security vulnerability has been removed.

3. 20 August 2019

   Welsh version of the guidance has been added.

4. 9 August 2019

   Information for the National Cyber Security Centre Vulnerability Reporting Service added to the page.

5. 18 April 2018

   First published.