Vulnerability Reporting

Created:  15 Nov 2018
Updated:  15 Nov 2018
How to report a vulnerability in a UK government website or system

If you believe you've found a vulnerability in a UK government website or system, please contact the owner.

If there is not a point of contact (or no response) you can report the vulnerability to us using the HackerOne website.

If you encounter a problem submitting your report, please contact the NCSC directly.


Reporting vulnerabilities using the HackerOne website

  • Please do not share the vulnerability information beyond the owner and us, without express consent from the owner.
  • Vulnerabilities reported to the HackerOne platform can be submitted without the need to create a HackerOne account. However, if you wish to be updated or acknowledged (with your consent), you should create an account.  
  • To submit your report, you will need to agree to the HackerOne Terms and Conditions and acknowledge that you have read their Privacy Policy and Disclosure Guidelines.
  • Once you have submitted the report, it will be assessed by NCC Group within five working days, and forwarded to the affected owners as soon as possible.  
  • The NCSC will attempt to make contact with the affected owner. However, the affected owner holds responsibility for resolving the issue.

Was this information helpful?

We need your feedback to improve this content.

Yes No