|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Purpose |
| 4 | + |
| 5 | +This document outlines how security vulnerabilities should be reported for this |
| 6 | +repository. |
| 7 | + |
| 8 | +HMCTS is committed to responsible vulnerability disclosure and to addressing |
| 9 | +legitimate security issues in a timely and coordinated manner. |
| 10 | + |
| 11 | +## Reporting a vulnerability |
| 12 | + |
| 13 | +If you believe you have identified a security vulnerability in this repository, please report it by email to: |
| 14 | + |
| 15 | +HMCTSVulnerabilityDisclosure@justice.gov.uk |
| 16 | + |
| 17 | +This email address is the sole approved point of contact for vulnerability disclosures relating to HMCTS-owned repositories and services. |
| 18 | + |
| 19 | +Please **do not** create public GitHub issues or pull requests to report security vulnerabilities. |
| 20 | + |
| 21 | +## What to Include in a Report |
| 22 | + |
| 23 | +When reporting a vulnerability, please provide as much of the following information as possible: |
| 24 | + |
| 25 | +- The repository, service, or component affected |
| 26 | +- A clear description of the vulnerability |
| 27 | +- Steps required to reproduce the issue |
| 28 | +- Any non-destructive proof of concept or exploitation details |
| 29 | + |
| 30 | +Where available, the following additional information is helpful: |
| 31 | + |
| 32 | +- The suspected vulnerability type (for example, an OWASP category) |
| 33 | +- Relevant logs, screenshot or error messages |
| 34 | + |
| 35 | +Reports do not need to be fully validated before submission. If you are unsure whether an issue is exploitable or security-relevant, you are still encouraged to report it. |
| 36 | + |
| 37 | +## Responsible Disclosure Guidelines |
| 38 | + |
| 39 | +When investigating or reporting a vulnerability affecting HMCTS systems, reporters must not: |
| 40 | + |
| 41 | +- Break the law or breach applicable regulations |
| 42 | +- Access unnecessary, excessive, or unrelated data |
| 43 | +- Modify or delete data |
| 44 | +- Perform denial-of-service or other disruptive testing |
| 45 | +- Use high-intensity, invasive, or destructive scanning techniques |
| 46 | +- Publicly disclose the vulnerability before it has been addressed |
| 47 | +- Attempt social engineering, Phishing, or physical attacks |
| 48 | +- Demand payment or compensation in exchange for disclosure |
| 49 | + |
| 50 | +These guidelines are intended to protect users, services, and data while allowing good-faith security research. |
| 51 | + |
| 52 | + |
| 53 | +## Bug Bounty |
| 54 | + |
| 55 | +HMCTS does not operate a paid bug bounty programme. |
| 56 | + |
| 57 | +## Code of Conduct |
| 58 | + |
| 59 | +All contributors and reporters are expected to act in good faith and in accordance with applicable laws and professional standards. |
| 60 | + |
| 61 | +## Further Reading |
| 62 | + |
| 63 | +- https://www.ncsc.gov.uk/information/vulnerability-reporting |
| 64 | +- https://www.gov.uk/help/report-vulnerability |
| 65 | +- https://github.com/Trewaters/security-README |
0 commit comments