Report a security issue in an HMRC online service
Find out how to report a potential security issue or vulnerability in an HMRC online service and what information to provide.
If you think you’ve found a security issue in an HMRC online service you should:
- report it to us as soon as possible by email: vulnerability.reporting@hmrc.gov.uk
- avoid doing anything to exploit it
To help us understand the nature and scope of the issue, if possible you should include:
- the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
- the location of the bug or the relevant URL
- a proof-of-concept or exploit code
- the impact of the issue, including how an attacker could exploit it
HMRC also subscribes to the National Cyber Security Centre (NCSC) Vulnerability Reporting Service. If you want to get an NCSC platform level acknowledgement for your report, follow the NCSC’s vulnerability reporting guide on their website.
What happens next
HMRC takes the security of online systems very seriously. We’ll investigate all reports and take action where necessary.
Last updated 8 April 2024 + show all updates
-
The email address for reporting security vulnerabilities has been updated and information about encrypting an email before reporting a security vulnerability has been removed.
-
Welsh version of the guidance has been added.
-
Information for the National Cyber Security Centre Vulnerability Reporting Service added to the page.
-
First published.