Guidance

Report a security vulnerability in an HMRC online service

Find out how to report a potential security issue in an HMRC online service and what information to provide.

If you think you’ve found a security vulnerability in an HMRC online service you should:

  • report it to us as soon as possible
  • avoid doing anything to exploit the vulnerability

To help us understand the nature and scope of the issue, if possible you should include:

  • the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
  • the location of the bug or the relevant URL
  • a proof-of-concept or exploit code
  • the impact of the issue, including how an attacker could exploit it

To report a potential vulnerability, email vulnerability.reporting@hmrc.gsi.gov.uk

If you want to encrypt your email before sending any details, email us and ask for a copy of our public key.

What happens next

HMRC takes the security of online systems very seriously. We’ll investigate all reported vulnerabilities and take action where necessary. We’ll only reply if we need further information from you.

Published 18 April 2018