Report a vulnerability on an HM Land Registry service or system
Guidance on how to report a vulnerability on an HM Land Registry service or system.
1. Introduction
1.1 HM Land Registry data plays a critical role in the operation of the domestic and commercial property market in England and Wales.
1.2 Read more about what HM Land Registry does on GOV.UK.
2. Purpose
2.1 This vulnerability disclosure policy applies to any security vulnerabilities you are considering reporting to HM Land Registry.
2.2 You should read this disclosure policy fully before you report any security vulnerabilities, to ensure you understand the policy and are able to act in compliance with it.
2.3 HM Land Registry actively endorses and supports working with the research and security practitioner community, to improve the organisation’s online security. The organisation welcomes investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.
3. Scope
3.1 This policy applies to security vulnerabilities in HM Land Registry products and services.
4. Conditions
4.1 In accepting the rules and principles of this policy you agree that you will not disclose publicly the reported vulnerability unless this has been approved by HM Land Registry. You also agree that you will not attempt to exploit any vulnerability you have found to extract HM Land Registry data or records.
4.2 This policy applies to all users including HM Land Registry staff, third party suppliers and general users of HM Land Registry internet-facing services.
4.3 We value those who take the time and effort to report security vulnerabilities according to this policy, however, we do not offer rewards (financial or otherwise) for vulnerability disclosures.
5. How to report a technical vulnerability
5.1 HM Land Registry takes the security of its systems seriously. If you believe you have found a technical vulnerability on any HM Land Registry system, you can report it.
5.2 This policy does not provide any indemnity for any actions if they are against the law. It does not provide an indemnity from HM Land Registry or any third party.
5.3 In your report, please include details of:
- the website, IP or page where the vulnerability can be observed
- a brief description of the type of vulnerability, for example, cross site scripting vulnerability; and,
- the steps to reproduce the vulnerability, which should be benign, non-destructive, and proof of concept only. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as subdomain takeovers
5.4 If you are not sure if HM Land Registry is responsible for a service or IP address where you have discovered a security vulnerability, then you should report this to the National Cyber Security Centre (NCSC). More information about how to do this is available on the NCSC vulnerability reporting page.
6. What to expect
6.1 After you have submitted your report, we will acknowledge receipt of your submitted report within 5 working days of receipt, and respond as soon as possible, usually within 10 working days, to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report.
6.2 Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on any remediation.
6.3 We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
7. Feedback
7.1 We welcome feedback on the disclosure handling process and effectiveness of vulnerability resolution. Feedback can be provided to securityadvicecentre@landregistry.gov.uk. Your feedback will be treated in confidence and will be used to improve organisational processes for handling reports, developing services, and resolving vulnerabilities.
8. Acknowledgments
8.1 This policy has been adapted from the Ministry of Justice Vulnerability disclosure policy, which is made available under the Open Government Licence v3.0.
Policy guidance
When reporting a vulnerability you must not:
- break any applicable law or regulation
- attempt to exploit a vulnerability you have found to extract data
- use high-intensity invasive or destructive technical security scanning tools to find vulnerabilities
- violate the privacy of HM Land Registry users, staff, contractors, services, or systems. For example, by sharing, redistributing and/or not properly securing data retrieved from our systems or services
- communicate any vulnerabilities or associated details using methods not described in this policy, or with anyone other than their assigned HM Land Registry security contact
- modify data in HM Land Registry’s systems or services which does not belong to the researcher
- disrupt HM Land Registry’s services or systems
- social engineer, ‘phish’ or physically attack HM Land Registry’s staff or infrastructure
- disclose any vulnerabilities in HM Land Registry systems or services to 3rd parties or the public, prior to the HM Land Registry confirming that those vulnerabilities have been mitigated or rectified
- require financial compensation to disclose any vulnerabilities (such as holding an organisation to ransom)
This is not intended to stop you notifying a vulnerability to 3rd parties for whom the vulnerability is directly relevant.
An example would be where the vulnerability being reported is in a software library or framework. Details of the specific vulnerability as it applies to the HM Land Registry must not be referenced in such reports. For clarification about whether or when you can notify 3rd parties, contact us, making sure the subject is “VDP”.
We ask you to delete securely any and all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first.
If at any time you are unsure if your intended or actual actions are in accordance with this policy, please contact us for guidance (using the subject: VDP) using the feedback link securityadvicecentre@landregistry.gov.uk
Legalities
This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause HM Land Registry to be in breach of any of its legal obligations, including but not limited to (as updated from time to time):
- The Computer Misuse Act (1990)
- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
- The Copyright, Designs and Patents Act (1988)
- The Official Secrets Act (1989)
HM Land Registry affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on an HM Land Registry service or system, where the researcher has acted in good faith and in accordance with this policy.