This policy is intended to give guidelines for submitting vulnerabilities
discovered in the UK’s National Cyber Security Centre web platform and its
If you believe you've found a vulnerability in a UK government website or
system, please contact the owner. If there is not a point of contact (or no
response) you can report the vulnerability here
What We’ll Do
We’ll make a best effort respond to your report within 5 working days and aim
to triage your report within 10 working days. We’ll also try to keep you
informed about our progress throughout the process.
Once your vulnerability has been resolved, we welcome requests to disclose
your report via the HackerOne platform.
NCSC are excited to recognise contributions to making our web platform more
secure via this HackerOne VDP. However, we do not offer monetary rewards for
- Please do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving consent from NCSC.
- Please follow HackerOne's disclosure guidelines __.
- Provide detailed reports with reproducible steps.
- Submit one vulnerability per report.
- Avoid submitting unvalidated reports from automated vulnerability scanners.
- Use the HackerOne contact channels to discuss a vulnerability report.
- Please do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
- Please avoid intentionally accessing the content of any communications, data, or information transiting or stored on NCSC information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- Please do not exfiltrate any data under any circumstances.
- Please do not intentionally compromise the privacy or safety of NCSC personnel, or any third parties.
- Please do not conduct denial of service testing.
- Please do not conduct social engineering, including spear phishing.
- Vulnerabilities in third-party systems are not covered by this VDP.
- For issues that do not represent a security risk please Contact NCSC __.
- If you believe you've found a vulnerability in a UK government website or system, please contact the owner. If there is not a point of contact (or no response) you can report the vulnerability here __.
Thank you for your help!