Department For Education
Report a vulnerability
If you discover something you believe to be an in-scope security vulnerability on aDfEsystem you should:
- Read this vulnerability disclosure policy fully.
- Check for more information aboutwhat we consider to be in-scope.
- Submit a vulnerability report.
Vulnerability disclosure policy
This DfE vulnerability disclosure policy applies to any information technology (IT) or cyber security vulnerabilities youre considering reporting to us.
We recommend reading this policy fully before you report a vulnerability. We are grateful to those who take the time to report security vulnerabilities according to this policy, however, we do not offer financial rewards for vulnerability disclosures.
DfEactively endorse and support working with the research and security practitioner community to improve our online security. We welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.
We are committed to:
- investigating and resolving security issues in our platform and services thoroughly
- working in collaboration with the security community
- responding promptly and actively
Scope
This policy only applies to vulnerabilities found in DfE products and services under the following conditions.
In scope vulnerabilities must be:
- original
- previously unreported
- not already discovered by internal procedures
Not in scope:
- volumetric vulnerabilities (DoS), this means that simply overwhelming a service with a high volume of requests will not be accepted
- reports of non-exploitable vulnerabilities and reports indicating that our services do not fully align with best practice (for example missing security headers)
- TLS configuration weaknesses, for example, weak cipher suite support or the presence of TLS 1.0 support
This policy applies to all external parties, third party suppliers and general users of DfE public services.
How to report a vulnerability
If you believe youve found a security vulnerability in any of DfEs services or systems, submit your report to us through HackerOne.
Include details of:
- the website, IP or page where the vulnerability was encountered or seen
- a brief description of the type of vulnerability, for example: XSS vulnerability
- steps to reproduce, these steps should be a non-destructive proof of concept
Including steps to reproduce the vulnerability helps us to triage the report quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
Guidelines for reporting a vulnerability
You should:
- always comply with data protection rules and not violate the privacy of DfE users, staff, contractors, services or systems you must not, for example, share, redistribute or fail to properly secure, data retrieved from systems or services
- securely delete all data retrieved during your research as soon as its no longer required, or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)
You must not:
- break any applicable law or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in DfE systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service (for example, overwhelming a DfE service with a high volume of requests)
- disrupt DfEs services or systems
- submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with best practice (for example, missing security headers)
- submit reports describing TLS configuration weaknesses, for example weak cipher suite support or the presence of TLS1.0 support
- communicate any vulnerabilities or associated details other than by means described in the published security.txt
- socially engineer, phish or physically attack DfEs staff or infrastructure
- demand financial compensation to disclose any vulnerabilities
What to expect after youve made your report
After you have submitted your report, well respond within 5 working days. Priority is assessed by looking at the impact, severity and exploit complexity of the vulnerability.
Vulnerability reports can take some time to address. Youre welcome to enquire about the status of your report but avoid doing so more than once every 2 weeks. This allows our teams to focus on fixing the vulnerability.
Well tell you when the reported vulnerability is fixed and may ask you to confirm that the solution has worked for you.
Once the vulnerability has been resolved, you can ask DfE to disclose your report. Disclosing helps us unify and improve our guidance to those affected, so coordinating and including DfE in any of your information releases can be helpful.
If we can confirm and resolve the vulnerability, well offer to include you on our thanks and acknowledgement page. Well ask you to confirm the details you want to include before anything is published.
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause DfE or partner organisations to be in breach of any legal obligations.
If legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were conducted in compliance with this policy.