Report a vulnerability on a Welsh Government system

Welsh Government, in collaboration with the National Cyber Security Centre (NCSC), operate a Vulnerability Disclosure Programme (VDP). Our disclosure policy applies to individuals and organisations reporting security vulnerabilities to the Welsh Government, hosted on HackerOne. 

This disclosure policy applies to individuals and organisations reporting security vulnerabilities to the Welsh Government. Please read the policy in full before reporting a vulnerability.

Please consult the defined scope to ensure that any reported vulnerability is relevant and directed to the appropriate organisation.

Welsh Government recognises reports of security vulnerabilities submitted in accordance with this policy. As a public sector body, Welsh Government does not provide financial or equivalent incentives for reporting security vulnerabilities. Requests for financial compensation should not be made.

Report a vulnerability on HackerOne.

Details

In your vulnerability report, please include:

• the website, IP, or web page where the vulnerability can be observed
• a brief description of the type of vulnerability, for example, ‘XSS vulnerability’
• steps to reproduce the vulnerability - these should be a benign, non-destructive, proof of concepts

What happens next

Once your report is submitted, we will reply within 5 working days and aim to triage it within 10 working days. We will keep you updated on our progress.

Remediation priority is determined by impact, urgency, and exploit complexity. Vulnerability reports may take time to process; you may enquire about their status, but limit requests to once every 7 days. This allows our teams to focus on the remediation.

Remediation

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

We will make every effort to provide relevant feedback on HackerOne user profiles to appropriately acknowledge your contributions.

The Welsh Government Vulnerability Disclosure Programme is managed by the Cyber Security Operations Centre (CSOC) of the Welsh Government. The CSOC manages the assessment and communication of security vulnerabilities within the organisation.

The CSOC does not have authority over other government public sector organisations.

Please note the below reports fall outside of the scope of this VDP:

• reports detailing non-exploitable vulnerabilities
• reports indicating that the services do not fully align with ‘best practice,’ for example, missing security headers

To submit your report, you will need access to the HackerOne portal. You will be required to agree to the HackerOne terms and conditions and acknowledge that you have read their privacy policy (on HackerOne) and disclosure guidelines (on HackerOne).

You must not:

• violate any laws or regulations
• access unneeded or substantial amounts of data
• alter system or service data
• modify our systems or services in any way
• modify the Welsh Government Website (defacing)
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• attempt any form of denial of service, for example, overwhelming a service with a high volume of requests
• disrupt the Welsh Government
• communicate any vulnerabilities or associated details by other means than the HackerOne portal
• socially engineer, ‘phish’ or physically attack the organisation’s staff or infrastructure
• demand financial compensation, in order to disclose any vulnerabilities

You must:

• Always comply with data protection legislation and must not violate the privacy of the organisation’s users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure information retrieved from the systems or services.
• Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)

This policy aligns with widely accepted vulnerability disclosure practices. It does not authorise actions that contravene the law or result in breaches of legal obligations for you, your organisation, or partner organisations. 

For instance, activities prohibited by the Computer Misuse Act 1990, the Investigatory Powers Act 2016, or applicable computer misuse laws in your country of residence are not permitted.

Should a third party commence legal proceedings against you, and your actions were in accordance with this policy, we may take steps to clarify that your conduct was consistent with the established guidelines.