Guidance

Report a security vulnerability in an HMRC online service

Find out how to report a potential security issue in an HMRC online service and what information to provide.

If you think you’ve found a security vulnerability in an HMRC online service you should:

  • report it to us as soon as possible
  • avoid doing anything to exploit the vulnerability

To help us understand the nature and scope of the issue, if possible you should include:

  • the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
  • the location of the bug or the relevant URL
  • a proof-of-concept or exploit code
  • the impact of the issue, including how an attacker could exploit it

To report a potential vulnerability, email vulnerability.reporting@hmrc.gov.uk

If you want to encrypt your email before sending any details, email us and ask for a copy of our public key.

HMRC also subscribes to the National Cyber Security Centre (NCSC) Vulnerability Reporting Service. If you want to get an NCSC platform level acknowledgement for your report, follow the Vulnerability reporting guide.

What happens next

HMRC takes the security of online systems very seriously. We’ll investigate all reported vulnerabilities and take action where necessary. We’ll only reply if we need further information from you.

Published 18 April 2018
Last updated 20 August 2019 + show all updates
  1. Welsh version of the guidance has been added.

  2. Information for the National Cyber Security Centre Vulnerability Reporting Service added to the page.

  3. First published.