Report a vulnerability on a DVSA system
How to report a security vulnerability on any Driver and Vehicle Standards Agency (DVSA) service or system.
The Driver and Vehicle Standards Agency (DVSA) is responsible for:
- carrying out theory tests and driving tests
- approving people to be driving instructors and motorcycle trainers
- approving people to be MOT testers
- carrying out roadside checks on commercial drivers and vehicles
- monitoring recalls of vehicles, parts and accessories
- supporting the Traffic Commissioners for Great Britain and the Northern Ireland transport regulator to license and monitor companies who operate lorries, buses and coaches
About our vulnerability disclosure policy
A vulnerability is a technical issue with a DVSA system which attackers or hackers could use to exploit the system and its users.
Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.
You will not be paid a reward for reporting a vulnerability (known as a ‘bug bounty’).
Report a security vulnerability
Report a vulnerability on HackerOne.
Include in your report:
- the website, IP or page where you found the vulnerability
- a brief description of the type of vulnerability, for example ‘XSS vulnerability’
- details of the steps we need to take to reproduce the vulnerability
- screenshots or logs if you have them
Guidelines for reporting a vulnerability
When you are investigating and reporting the vulnerability, you must not:
- break the law
- access unnecessary or excessive amounts of data
- modify data
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- try a denial of service - for example overwhelming a service on DVSA’s services or systems
- social engineer, ‘phish’ or physically attack DVSA’s staff or infrastructure
- demand money to disclose a vulnerability
Contact DVSA to report other issues, including:
- non-exploitable vulnerabilities
- something you think could be improved - for example, missing security headers
- TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support
Data protection
You must:
- follow data protection rules
- keep the data secure until you delete it - you must delete the data as soon as we no longer need it or no later than 1 month after the vulnerability has been resolved (whichever comes first)
You must not share, redistribute or fail to properly secure data retrieved from DVSA’s systems or services
What happens next
You’ll get updates on the progress fixing the vulnerability through HackerOne, if you have an account.
We’ll confirm that we have received your report within 5 working days.
We’ll try to assess your report within 10 working days.
How we prioritise fixes
We prioritise fixes by looking at:
- the impact
- the severity
- how complex the exploit is
When the vulnerability has been fixed
We’ll contact you when the reported vulnerability has been fixed. We may ask you to check it has been fixed.
We can work with you to disclose and publish the report after the vulnerability has been fixed.