Skip to main content

Welcome to our new website. You may still see some pages from our old site as we move things over.

How to report a security vulnerability on our website

If you believe you have found a security vulnerability in our website, please report the vulnerability to us.

Report a security vulnerability on our website

What is a security vulnerability?

A security vulnerability is a flaw or weakness in our website's code, design, or configuration that someone could use successfully attack the Fund. This includes any vulnerabilities that could let someone:

  • gain unauthorised access to services or information
  • compromise data
  • disrupt services

About our vulnerability disclosure policy

This vulnerability disclosure policy applies to any vulnerabilities you consider reporting to us ('the Fund'). We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards or 'bug bounties' for vulnerability disclosures.

Reporting security vulnerabilities: what to tell us

In your report, please include:

  • details of the website, IP or page where you found the vulnerability (including any relevant URLs)
  • a brief description of the type of vulnerability, for example; 'XSS vulnerability'
  • steps we could take to reproduce the vulnerability

The steps you outline should be a benign, non-destructive, proof of concept. This helps us triage your report quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

After you submit your report

We will:

  • respond to your report within 5 working days
  • aim to triage your report within 28 working days
  • aim to keep you informed of our progress

We prioritise which vulnerabilities to fix by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.

We’ll let you know when we’ve fixed the vulnerability you’ve told us about. We may also invite you to confirm that our solution covers the vulnerability adequately.

Once we fix the vulnerability, we may share information about it to other civil service departments that could be affected.

Do’s and don’ts for reporting vulnerabilities

You must not:

  • break any applicable law or regulations
  • access unnecessary, excessive or significant amounts of data – you should exfiltrate no more than 10 records for the purpose of a proof of concept
  • modify data in the Fund’s systems or services.
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • attempt or report any form of denial of service, such as overwhelming a service with a high volume of requests
  • disrupt the Fund’s services or systems
  • submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with ‘best practice’, for example missing security headers
  • submit reports detailing TLS configuration weaknesses, for example ‘weak’ cipher suite support or the presence of TLS1.0 support
  • communicate any vulnerabilities or associated details other than by means described in the published security.txt
  • social engineer, ‘phish’, ‘vish’, ‘smish’ or physically attack the Fund’s staff or infrastructure
  • encrypt information that you’ve exfiltrated, so that we can no longer access it (even as part of a proof of concept)
  • demand financial compensation in order to disclose any vulnerabilities

You must always:

  • comply with data protection rules and must not violate the privacy of the Fund’s users, staff, contractors, services or systems. For example, you must not share, redistribute or fail to properly secure data retrieved from the systems or services
  • securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)

The law and reporting vulnerabilities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Fund or partner organisations to be in breach of any legal obligations.

The Fund commits to not pursue legal action against researchers who have acted in good faith and complied fully with this policy.