Skip to content

Security: DFE-Digital/buy-for-your-school

SECURITY.md

Security notice

This is the security notice for all Department for Education (DfE) repositories. It explains how vulnerabilities should be reported to DfE. At DfE, we have cyber security and information assurance teams, as well as security-conscious people within the programmes and services, that assess and triage all reported vulnerabilities.

Reporting a vulnerability

DfE is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it. If you believe you have found a vulnerability, submit your report to us through HackerOne.

Up to date contact information for DfE can be found in our central security.txt file.

In your report please include details of:

  • the website, page or repository where the vulnerability can be found
  • a brief description of the vulnerability
  • optionally, the type of vulnerability and any related OWASP category
  • steps to reproduce - these should be a non-destructive proof of concept

Including steps to reproduce the vulnerability helps to triage the report quickly and accurately, and reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities such as sub-domain takeovers

Scope

The following are not in scope:

  • volumetric vulnerabilities - for example, overwhelming a service with a high volume of requests
  • reports indicating that our services do not fully align with ‘best practice’, for example, missing security headers

If you are not sure, you can still contact us by email at [email protected].

Bug bounty

DfE does not offer a paid bug bounty programme. We will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly in our thanks.txt.

What to expect

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address.

You are welcome to enquire on the status but avoid doing so more than once every 2 weeks. This allows our teams to focus on fixing the vulnerability.

We will tell you when the reported vulnerability is fixed and may ask you to confirm that the solution has worked for you by retesting the issue after a fix has been deployed.

Once your vulnerability has been resolved, you can ask us to disclose your report. Disclosing helps us unify and improve guidance to affected users, so coordinating and including DfE in any of your information releases can be helpful.

If we can confirm and resolve the vulnerability, we’ll offer to include you on our thanks and acknowledgement page. We’ll ask you to confirm the details you want to include before anything is published.

Code of Conduct

DfE has a contributors code of conduct


Further reading and inspiration about responsible disclosure and SECURITY.md

There aren’t any published security advisories