Find out how to report a potential security issue in an HMRC online service and what information to provide.
If you think you’ve found a security vulnerability in an HMRC online service you should:
- report it to us as soon as possible
- avoid doing anything to exploit the vulnerability
To help us understand the nature and scope of the issue, if possible you should include:
- the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
- the location of the bug or the relevant URL
- a proof-of-concept or exploit code
- the impact of the issue, including how an attacker could exploit it
To report a potential vulnerability, email email@example.com
If you want to encrypt your email before sending any details, email us and ask for a copy of our public key.
HMRC also subscribes to the National Cyber Security Centre (NCSC) Vulnerability Reporting Service. If you want to get an NCSC platform level acknowledgement for your report, follow the Vulnerability reporting guide.
What happens next
HMRC takes the security of online systems very seriously. We’ll investigate all reported vulnerabilities and take action where necessary. We’ll only reply if we need further information from you.