If you believe you've found a vulnerability in a UK government website or system, please contact the owner.
If there is not a point of contact (or no response) you can report the vulnerability to us using the HackerOne website.
If you encounter a problem submitting your report, please contact the NCSC directly.
Reporting vulnerabilities using the HackerOne website
- Please do not share the vulnerability information beyond the owner and us, without express consent from the owner.
- Vulnerabilities reported to the HackerOne platform can be submitted without the need to create a HackerOne account. However, if you wish to be updated or acknowledged (with your consent), you should create an account.
- Once you have submitted the report, it will be assessed by NCC Group within five working days, and forwarded to the affected owners as soon as possible.
- The NCSC will attempt to make contact with the affected owner. However, the affected owner holds responsibility for resolving the issue.