Read this Vulnerability Disclosure Policy completely before reporting a vulnerability. You must always act in accordance with this policy.

This policy applies to any vulnerabilities that you plan to report to Companies House.

We appreciate those who take the time and effort to report security vulnerabilities in accordance with this policy. However, we do not offer monetary rewards for vulnerability disclosures.

Report a vulnerability

If you believe you have found a security vulnerability, send us your report using Hacker One: Submit a Vulnerability Report.

In your report, you should include details about:

  • the website, IP address or page where you found the vulnerability

  • a brief description of the type of vulnerability, for example, “XSS vulnerability”

  • steps to reproduce

The steps to be reproduced must be a benign and non-destructive proof of concept. This is to ensure that we can sort the report quickly and accurately. It also reduces the risk of duplicate reports or malicious exploitation of certain vulnerabilities, such as subdomain takeovers.

Tips for reporting a vulnerability

You must not:

  • violate any law or regulation
  • access unnecessary, excessive or significant amounts of data
  • modify data in Companies House systems or services
  • use high intensity invasive or destructive scan tools to find vulnerabilities
  • attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
  • disrupt Companies House services or systems
  • submit reports detailing non-exploitable vulnerabilities, or reports indicating that services do not fully align with ‘best practices’, for example missing security headers
  • submit reports detailing weaknesses in the TLS configuration, for example “weak” cipher suite support or presence of TLS1.0 support
  • communicate any vulnerability or associated details other than by the means described in the published security.txt
  • social engineer, ‘phish’ or physically attack Companies House staff or infrastructure
  • require financial compensation to disclose any vulnerability
  • publicly disclose any resolved vulnerability reports without the prior written consent of Companies House

You have to:

  • securely delete all data recovered during your search as soon as it is no longer needed or within one month of the vulnerability being resolved – whichever occurs first, or as required by data protection law
  • always abide by data protection rules and not violate the privacy of users, staff, contractors, services or systems of Companies House – for example, you must not share, redistribute or fail to secure properly data retrieved from systems or services

What to expect after submitting your report

We will respond to your report within 5 business days. We will do our best to sort your report within 10 business days. We will also endeavor to keep you informed of our progress.

We assess the priority of remediation by examining:

  • impact
  • gravity
  • exploit complexity

Sorting or resolving vulnerability reports may take some time. You can request the status, but do not request more than once every 14 days. This gives our teams time to focus on remediation.

We will notify you when your reported vulnerability is addressed. We may prompt you to confirm that the solution adequately covers the vulnerability.

Legalities

This policy is designed to be compatible with current best practices for vulnerability disclosure. This does not give you permission to act in a way that is inconsistent with the law or that could cause Companies House or our partner organizations to violate legal obligations.

If a third party takes legal action against you and you have complied with this policy, we may take steps to communicate that your actions comply with this policy.

Posted on November 1, 2021