This is the security notice for all GDS (Government Digital Service) repositories. The notice explains how vulnerabilities should be reported to GDS. At GDS there are cyber security and information assurance teams, as well as security-conscious people within the programmes, that assess and triage all reported vulnerabilities.

GDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.

Send details to disclosure@digital.cabinet-office.gov.uk, including:

• the website, page or repository where the vulnerability can be observed
• a brief description of the vulnerability
• optionally the type of vulnerability and any related OWASP category
• non-destructive exploitation details

GDS use ZenDesk as a ticketing system, so you may get a reply or response from that platform.

The following are not in scope:

• volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
• reports indicating that our services do not fully align with “best practice”, for example missing security headers

If you are not sure, you can still reach out via email; disclosure@digital.cabinet-office.gov.uk.

Unfortunately, GDS doesn't offer a paid bug bounty programme. GDS will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.

GDS have a contributors code of conduct, which you can find here: CODE_OF_CONDUCT.md

• https://mojdigital.blog.gov.uk/vulnerability-disclosure-policy/
• https://www.ncsc.gov.uk/information/vulnerability-reporting
• https://github.com/Trewaters/security-README