NCSC launches website vulnerability reporting service

The National Cyber Security Council (NCSC) has launched a vulnerability reporting service for government websites.

It provides a route for security researchers to inform the NCSC of any issues they detect, acknowledging the role played by people outside the organisation and public authorities.

The service has been created as it can be difficult to find the right contact inside organisations for reporting a vulnerability that has been identified.

It is also exempt from the GCHQ Equities Process, which can sometimes be used to prevent vulnerabilities being released.

The lead on the subject, named only as Ollie C, commented: For me, our vulnerability reporting service is a very important step as it represents our commitment to vulnerability disclosure co-ordination.

“We are continually looking to improve it, and as part of this we plan to be transparent around our learning. This reporting service operates hand-in-hand with the co-ordination pilot to start improving vulnerability disclosure across UK government.

“We are also keen to show our appreciation by issuing HackerOne reputation points to those that disclose.”

Refinements

He added that the NCSC will work with the security researcher community on refining the service, and over the next year will provide more information on the steps to create an organisation-wide vulnerability disclosure process.

The NCSC also made the point that disclosing a vulnerability does not in itself amount to an incident, which only occurs when it is used in an attack.