Skip to content

Security: alphagov-mirror/government-service-design-manual

Security

SECURITY.md

Security Notice

What?

This is the security notice for all GDS (Government Digital Service) repositories. The notice explains how vulnerabilities should be reported to GDS. At GDS there are cyber security and information assurance teams, as well as security-conscious people within the programmes, that assess and triage all reported vulnerabilities.

Reporting a Vulnerability

GDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.

Send details to disclosure@digital.cabinet-office.gov.uk, including:

  • the website, page or repository where the vulnerability can be observed
  • a brief description of the vulnerability
  • optionally the type of vulnerability and any related OWASP category
  • non-destructive exploitation details

GDS use ZenDesk as a ticketing system, so you may get a reply or response from that platform.

Scope

The following are not in scope:

  • volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
  • reports indicating that our services do not fully align with “best practice”, for example missing security headers

If you are not sure, you can still reach out via email; disclosure@digital.cabinet-office.gov.uk.

Bug bounty

Unfortunately, GDS doesn't offer a paid bug bounty programme. GDS will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.

Code of Conduct

GDS have a contributors code of conduct, which you can find here: CODE_OF_CONDUCT.md


Further reading and inspiration about responsible disclosure and SECURITY.md

There aren’t any published security advisories