Report a vulnerability on a Companies House system
How to report a security vulnerability on a Companies House service or system.
Read this vulnerability disclosure policy fully before you report a vulnerability. You should always act in compliance with this policy.
This policy applies to any vulnerabilities you’re considering reporting to Companies House.
We value those who take the time and effort to report security vulnerabilities in line with this policy. However, we do not offer monetary rewards for vulnerability disclosures.
Report a vulnerability
If you believe you have found a security vulnerability submit your report to us using the Hacker One: submit a vulnerability report.
In your report, you must include details of:
-
the website, IP or page where you have found the vulnerability
-
a brief description of the type of vulnerability, for example, ‘XSS vulnerability’
-
steps to reproduce
The steps to reproduce should be a benign, non-destructive proof of concept. This helps to make sure that we can triage the report quickly and accurately. It also reduces the chances of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
Guidance for reporting a vulnerability
You must not:
- break any law or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in Companies House’s systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
- disrupt Companies House’s services or systems
- submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with ‘best practice’, for example missing security headers
- submit reports detailing TLS configuration weaknesses, for example ‘weak’ cipher suite support or the presence of TLS1.0 support
- communicate any vulnerabilities or associated details other than by means described in the published security.txt
- social engineer, ‘phish’ or physically attack Companies House’s staff or infrastructure
- demand financial compensation to disclose any vulnerabilities
- publicly disclose any resolved vulnerability report without prior written consent from Companies House
You must:
- securely delete all data retrieved during your research as soon as it’s no longer needed or within 1 month of the vulnerability being resolved - whichever occurs first, or as otherwise required by data protection law
- always comply with data protection rules and not violate the privacy of Companies House’s users, staff, contractors, services or systems - for example, you must not share, redistribute or fail to properly secure data retrieved from the systems or services
What to expect after you have submitted your report
We’ll respond to your report within 5 working days. We’ll aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress.
We assess the priority for remediation by looking at the:
- impact
- severity
- exploit complexity
Vulnerability reports might take some time to triage or address. You’re welcome to ask about the status but do not ask more than once every 14 days. This gives our teams time to focus on the remediation.
We’ll notify you when your reported vulnerability is remediated. We might invite you to confirm that the solution covers the vulnerability adequately.
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any way that’s inconsistent with the law or might cause Companies House or our partner organisations to be in breach of any legal obligations.
If a third-party initiates legal action against you and you have complied with this policy, we can take steps to make it known that your actions complied with this policy.