Guidance

Report a vulnerability on a Department for Education system

Guidance on how to report a security vulnerability on a Department for Education (DfE) service or system.

Applies to England

Report a vulnerability

If you discover something you believe to be an in-scope security vulnerability on a DfE system you should:

  1. Read this vulnerability disclosure policy fully.
  2. Check for more information about what we consider to be in-scope.
  3. Submit a vulnerability report.

Vulnerability disclosure policy

This DfE vulnerability disclosure policy applies to any information technology (IT) or cyber security vulnerabilities you’re considering reporting to us.

We recommend reading this policy fully before you report a vulnerability. We are grateful to those who take the time to report security vulnerabilities according to this policy, however, we do not offer financial rewards for vulnerability disclosures.

DfE actively endorse and support working with the research and security practitioner community to improve our online security. We welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.

We are committed to:

  • investigating and resolving security issues in our platform and services thoroughly
  • working in collaboration with the security community
  • responding promptly and actively

Scope

This policy only applies to vulnerabilities found in DfE products and services under the following conditions.

In scope vulnerabilities must be:

  • original
  • previously unreported
  • not already discovered by internal procedures

Not in scope:

  • volumetric vulnerabilities (DoS), this means that simply overwhelming a service with a high volume of requests will not be accepted
  • reports of non-exploitable vulnerabilities and reports indicating that our services do not fully align with ‘best practice’ (for example missing security headers)
  • TLS configuration weaknesses, for example, ‘weak’ cipher suite support or the presence of TLS 1.0 support

This policy applies to all external parties, third party suppliers and general users of DfE public services.

How to report a vulnerability

If you believe you’ve found a security vulnerability in any of DfE’s services or systems, submit your report to us through HackerOne.

Include details of:

  • the website, IP or page where the vulnerability was encountered or seen
  • a brief description of the type of vulnerability, for example: ‘XSS vulnerability’
  • steps to reproduce, these steps should be a non-destructive proof of concept

Including steps to reproduce the vulnerability helps us to triage the report quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

Guidelines for reporting a vulnerability

You should:

  • always comply with data protection rules and not violate the privacy of DfE users, staff, contractors, services or systems – you must not, for example, share, redistribute or fail to properly secure, data retrieved from systems or services
  • securely delete all data retrieved during your research as soon as it’s no longer required, or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)

You must not:

  • break any applicable law or regulations
  • access unnecessary, excessive or significant amounts of data
  • modify data in DfE systems or services
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • attempt or report any form of denial of service (for example, overwhelming a DfE service with a high volume of requests)
  • disrupt DfE’s services or systems
  • submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with ‘best practice’ (for example, missing security headers)
  • submit reports describing TLS configuration weaknesses, for example ‘weak’ cipher suite support or the presence of TLS1.0 support
  • communicate any vulnerabilities or associated details other than by means described in the published security.txt
  • socially engineer, ‘phish’ or physically attack DfE’s staff or infrastructure
  • demand financial compensation to disclose any vulnerabilities

What to expect after you’ve made your report

After you have submitted your report, we’ll respond within 5 working days. Priority is assessed by looking at the impact, severity and exploit complexity of the vulnerability.

Vulnerability reports can take some time to address. You’re welcome to enquire about the status of your report but avoid doing so more than once every 2 weeks. This allows our teams to focus on fixing the vulnerability.

We’ll tell you when the reported vulnerability is fixed and may ask you to confirm that the solution has worked for you.

Once the vulnerability has been resolved, you can ask DfE to disclose your report. Disclosing helps us unify and improve our guidance to those affected, so coordinating and including DfE in any of your information releases can be helpful.

If we can confirm and resolve the vulnerability, we’ll offer to include you on our thanks and acknowledgement page. We’ll ask you to confirm the details you want to include before anything is published.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause DfE or partner organisations to be in breach of any legal obligations.

If legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were conducted in compliance with this policy.

Updates to this page

Published 23 September 2024

Sign up for emails or print this page