GovWire

Guidance: Report a vulnerability on a DVSA system

Back To Homepage Subscribe To RSS Feed

Driver Vehicle Standards Agency
October 24
08:24 2023
Print This Article Share it With Friends

The Driver and Vehicle Standards Agency (DVSA) is responsible for:

  • carrying out theory tests and driving tests
  • approving people to be driving instructors and motorcycle trainers
  • approving people to be MOT testers
  • carrying out roadside checks on commercial drivers and vehicles
  • monitoring recalls of vehicles, parts and accessories
  • supporting the Traffic Commissioners for Great Britain and the Northern Ireland transport regulator to license and monitor companies who operate lorries, buses and coaches

View DVSAs online services.

About our vulnerability disclosure policy

A vulnerability is a technical issue with a DVSA system which attackers or hackers could use to exploit the system and its users.

Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.

You will not be paid a reward for reporting a vulnerability (known as a bug bounty).

Report a security vulnerability

Report a vulnerability on HackerOne.

Include in your report:

  • the website, IP or page where you found the vulnerability
  • a brief description of the type of vulnerability, for example XSS vulnerability
  • details of the steps we need to take to reproduce the vulnerability
  • screenshots or logs if you have them

Guidelines for reporting a vulnerability

When you are investigating and reporting the vulnerability, you must not:

  • break the law
  • access unnecessary or excessive amounts of data
  • modify data
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • try a denial of service - for example overwhelming a service on DVSAs services or systems
  • social engineer, phish or physically attack DVSAs staff or infrastructure
  • demand money to disclose a vulnerability

Contact DVSA to report other issues, including:

  • non-exploitable vulnerabilities
  • something you think could be improved - for example, missing security headers
  • TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support

Data protection

You must:

  • follow data protection rules
  • keep the data secure until you delete it - you must delete the data as soon as we no longer need it or no later than 1 month after the vulnerability has been resolved (whichever comes first)

You must not share, redistribute or fail to properly secure data retrieved from DVSAs systems or services

What happens next

Youll get updates on the progress fixing the vulnerability through HackerOne, if you have an account.

Well confirm that we have received your report within 5 working days.

Well try to assess your report within 10 working days.

How we prioritise fixes

We prioritise fixes by looking at:

  • the impact
  • the severity
  • how complex the exploit is

When the vulnerability has been fixed

Well contact you when the reported vulnerability has been fixed. We may ask you to check it has been fixed.

We can work with you to disclose and publish the report after the vulnerability has been fixed.

Published 24 October 2023
Contents
 Latest Government News
  
© 2024 Copyright CliqTo Media Ltd. Registered in England, company number 7575287. Privacy Policy | Terms & Conditions | Copyright Notice
Contains public sector information licensed under the Open Government Licence v3.0.

Share This


Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: