Report a vulnerability on an Ofsted system
Guidance on how to report a security vulnerability on any Ofsted service or system.
Applies to England
This page is intended for ethical hackers or other members of the public who have discovered a technical vulnerability in an Ofsted system or service and wish to report it.
Ofsted takes the security of our systems seriously. If you think you have found a security vulnerability on any of Ofsted’s systems, this page will explain how to report it. It also explains what will happen next, and our policy in relation to security vulnerabilities.
We recommend that you read the entire page before you report a vulnerability, and that you always act in compliance with our policy.
We value those who take the time and effort to report security vulnerabilities. However, we do not offer monetary rewards for vulnerability reports.
Reporting
Ofsted’s cybersecurity is managed by the information system security company HackerOne, who manage the security of many government departments.
If you believe you have found a security vulnerability, please submit your report to HackerOne using the following link:
You will be asked to provide details of:
- the website, IP or page where the vulnerability can be observed
- a brief description of the type of vulnerability – for example, ‘XSS vulnerability’
- the steps required to reproduce the vulnerability – these should be a benign, non-destructive proof of concept; this helps to ensure that the report can be triaged quickly and accurately, and reduces the likelihood of duplicate reports and malicious exploitation of certain vulnerabilities, such as sub-domain takeovers
What happens next
After you have submitted your report, we will respond within 5 working days, and aim to triage it within 10 working days. We’ll also aim to keep you informed of our progress.
We prioritise vulnerability reports by looking at their impact and/or severity, and at how easy it would be for the vulnerability to be exploited. This process of triaging and addressing reports can take some time. You are welcome to enquire on the status of your report, but please avoid doing so more than once every 14 days. This allows our teams to focus on addressing these issues.
We will notify you when the vulnerability you reported has been dealt with. We may invite you to confirm that the solution adequately addresses the vulnerability.
Once the vulnerability has been resolved, you are free to publicly discuss or publish information about it . We do like to make sure that affected users receive unified guidance, so please continue to coordinate public release of information with us.
Vulnerability reporting policy
You must not:
- break any applicable laws or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in our systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service, for example overwhelming a service with a high volume of requests
- disrupt our services or systems
- submit reports detailing non-exploitable vulnerabilities, or indicating that services do not fully align with best practice, for example missing security headers
- submit reports detailing TLS configuration weaknesses, for example ‘weak’ cipher suite support or the presence of TLS 1.0 support
- communicate any vulnerabilities or associated details other than by means described in the published security.txt
- social engineer, ‘phish’ or physically attack our staff or infrastructure
- demand financial compensation in order to disclose any vulnerabilities
You must:
- always comply with data protection rules and must not violate the privacy of our users, staff, contractors, services or systems – for example by sharing, redistributing or failing to properly secure data retrieved from the systems or services
- securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law)
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause us or our partner organisations to be in breach of any legal obligations.
However, if legal action is initiated by a third party against you and you have complied with this policy, we can take steps to make it known that your actions were carried out in compliance with this policy.