Skip to main content

Security Vulnerability Disclosure Policy

NHS England, in collaboration with the National Cyber Security Centre (NCSC), operate a Vulnerability Disclosure Programme (VDP). Our disclosure policy applies to individuals and organisations reporting security vulnerabilities to NHS England.

To report an urgent cyber security incident or a vulnerability being actively exploited within the NHS, call 0300 303 5222.

NHS England, in collaboration with the National Cyber Security Centre (NCSC), operate a Vulnerability Disclosure Programme (VDP) hosted on HackerOne. The policy for this is outlined below. 

This disclosure policy applies to individuals and organisations reporting security vulnerabilities to NHS England. Please read the policy in full before reporting a vulnerability.

Refer to the Scope below to ensure you are reporting an applicable vulnerability to the appropriate organisation. 

We value those who take the time and effort to report security vulnerabilities according to this policy. As a non-departmental government body, NHS England cannot offer financial or equivalent incentive for the reporting of security vulnerabilities. Please do not request financial compensation. 


Reporting

Reports are submitted via the form below. 

In your report, please include: 

  • The website, IP, or page where the vulnerability can be observed. 
  • A brief description of the type of vulnerability, for example, 'XSS vulnerability'. 
  • Steps to reproduce the vulnerability. These should be a benign, non-destructive, proof of concepts. 

What to expect

After you have submitted your report, we will respond within 5 working days and aim to triage your report within 10 working days. We will also aim to keep you informed of our progress. 

Priority for remediation is assessed by looking at the impact, urgency, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. 

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once the vulnerability has been resolved, please let us know if you wish to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

We will also endeavour to provide appropriate feedback on HackerOne user profiles to ensure you are recognised for your efforts. 


Scope

NHS England's Vulnerability Disclosure Programme is managed by NHS England's National Cyber Security Operations Centre (CSOC). The CSOC triage and communicate security vulnerabilities with NHS organisations within England.

The CSOC do not have remit over non-NHS organisations including third-party and private healthcare suppliers. 

Please note the below reports fall outside of the scope of this VDP:

  • Reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with 'best practice', for example, missing security headers. 
  • Reports detailing TLS configuration weaknesses, for example 'weak' cipher suite support or the presence of TLS1.0 support. 

Policy

To submit your report, you will need to agree to the HackerOne terms and conditions and acknowledge that you have read their privacy policy and disclosure guidelines.

You must not

  • Break any applicable law or regulations. 
  • Access unnecessary, excessive, or significant amounts of data. 
  • Modify data in our systems or services. 
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities. 
  • Attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests. 
  • Disrupt our organisation, our services or systems. 
  • Communicate any vulnerabilities or associated details other than by means described in the published security.txt
  • Socially engineer, ‘phish’ or physically attack the organisation's staff or infrastructure. 
  • Demand financial compensation in order to disclose any vulnerabilities. 

You must

  • Always comply with data protection rules and must not violate the privacy of the organisation’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services. 

  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law). 

Last edited: 9 January 2025 3:03 pm