Skip to content

Commit c674112

Browse files
authored
Add files via upload (#734)
1 parent c16aefe commit c674112

1 file changed

Lines changed: 64 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Security Policy
2+
3+
## Purpose
4+
5+
This document outlines how security vulnerabilities should be reported for this
6+
repository.
7+
8+
HMCTS is committed to responsible vulnerability disclosure and to addressing
9+
legitimate security issues in a timely and coordinated manner.
10+
11+
## Reporting a vulnerability
12+
13+
If you believe you have identified a security vulnerability in this repository, please report it by email to:
14+
15+
HMCTSVulnerabilityDisclosure@justice.gov.uk
16+
17+
This email address is the sole approved point of contact for vulnerability disclosures relating to HMCTS-owned repositories and services.
18+
19+
Please **do not** create public GitHub issues or pull requests to report security vulnerabilities.
20+
21+
## What to Include in a Report
22+
23+
When reporting a vulnerability, please provide as much of the following information as possible:
24+
25+
- The repository, service, or component affected
26+
- A clear description of the vulnerability
27+
- Steps required to reproduce the issue
28+
- Any non-destructive proof of concept or exploitation details
29+
30+
Where available, the following additional information is helpful:
31+
32+
- The suspected vulnerability type (for example, an OWASP category)
33+
- Relevant logs, screenshot or error messages
34+
35+
Reports do not need to be fully validated before submission. If you are unsure whether an issue is exploitable or security-relevant, you are still encouraged to report it.
36+
37+
## Responsible Disclosure Guidelines
38+
39+
When investigating or reporting a vulnerability affecting HMCTS systems, reporters must not:
40+
41+
- Break the law or breach applicable regulations
42+
- Access unnecessary, excessive, or unrelated data
43+
- Modify or delete data
44+
- Perform denial-of-service or other disruptive testing
45+
- Use high-intensity, invasive, or destructive scanning techniques
46+
- Publicly disclose the vulnerability before it has been addressed
47+
- Attempt social engineering, Phishing, or physical attacks
48+
- Demand payment or compensation in exchange for disclosure
49+
50+
These guidelines are intended to protect users, services, and data while allowing good-faith security research.
51+
52+
## Bug Bounty
53+
54+
HMCTS does not operate a paid bug bounty programme.
55+
56+
## Code of Conduct
57+
58+
All contributors and reporters are expected to act in good faith and in accordance with applicable laws and professional standards.
59+
60+
## Further Reading
61+
62+
- https://www.ncsc.gov.uk/information/vulnerability-reporting
63+
- https://www.gov.uk/help/report-vulnerability
64+
- https://github.com/Trewaters/security-README

0 commit comments

Comments
 (0)