Find out how to report a potential security issue in an HMRC online service and what information to provide.
If you think you’ve found a security vulnerability in an HMRC online service you should:
- report it to us as soon as possible
- avoid doing anything to exploit the vulnerability
To help us understand the nature and scope of the issue, if possible you should include:
- the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
- the location of the bug or the relevant URL
- a proof-of-concept or exploit code
- the impact of the issue, including how an attacker could exploit it
To report a potential vulnerability, email firstname.lastname@example.org
If you want to encrypt your email before sending any details, email us and ask for a copy of our public key.
What happens next
HMRC takes the security of online systems very seriously. We’ll investigate all reported vulnerabilities and take action where necessary. We’ll only reply if we need further information from you.