The Royal Household takes the security of our systems seriously. This page provides guidance on how to report a security vulnerability identified within any publicly accessible Royal Household website, system, application or infrastructure.
Vulnerability Disclosure Policy
It’s highly recommended that you read this Vulnerability Disclosure Policy fully before you report a vulnerability. This helps ensure that you fully understand the policy and act in compliance with it.
If you have discovered a vulnerability within a Royal Household website, system, or application, please submit a vulnerability report using the HackerOne platform.
In your submission, include details of:
The website, IP or page where the vulnerability can be observed.
A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.
Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
What to expect
After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.
Rules of Engagement
You must NOT:
Break any applicable laws or regulations.
Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
Use high-intensity invasive or destructive technical security scanning tools, that could impact the quality of service of Royal Household infrastructure or services, to find vulnerabilities.
Engage in physical testing of facilities or resources or perform social engineering on The Royal Household.
Attempt or report any form of denial of service, for example, overwhelming a service with high volume requests.
Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support.
Demand financial compensation before or after disclosing any vulnerabilities.
You must also not disclose any vulnerability found within a Royal Household system, website or application to third parties or the public before The Royal Household has confirmed that those vulnerabilities have been mitigated or remediated. This is not intended to stop you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant, it’s to maintain confidentiality of communications and ensure Royal Household systems remain protected until the vulnerability has been remediated.
Always comply with data protection rules and must not violate the privacy of The Royal Household users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause The Royal Household to be in breach of any of its legal obligations, including but not limited to:
The Computer Misuse Act (1990)
The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
The Copyright, Designs and Patents Act (1988)
The Official Secrets Act (1989)
The Royal Household will not seek prosecution of any security researcher who reports any security vulnerability in a Royal Household service or system where the researcher has acted in good faith and in accordance with this disclosure policy.