Skip to content

Vulnerability Disclosure Programme (VDP)

Vulnerability Disclosure Programme

The vulnerability disclosure program (VDP) is a project that DfE has been onboarding to with the help of NCSC. It involves a toolkit designed to help us make it easier for security researchers to contact the correct teams to report vulnerabilities they've discovered.

All information on how to report a vulnerability to DfE as part of the VDP have been posted to our GOV.UK site.

To make reporting vulnerabilities easier, the toolkit suggests:

  • forms of communication - we have a Hackerone vulnerability disclosure link that goes directly to the vulnerability management (VM) team
  • a clear policy on what we expect from someone reporting a vulnerability and how we will respond
  • a security.txt file that can be published for all web services at the standard location (/.well-known) – DfE’s Cyber and Information Security division (CISD) have deployed a security.txt file linking to our communication options and also a thanks.txt file that gives acknowledgements to researchers

Security.txt file: https://vdp.security.education.gov.uk/.well-known/security.txt

Thanks.txt file: https://vdp.security.education.gov.uk/thanks.txt

The idea is based on the GDS/Cabinet Office centrally hosted PaaS project for VDP. As PaaS has been decommissioned, this project will be hosted on an Azure Storage static site.

Digital Service Secure by Design responsibilities

It is the responsibility of the digital service teams to ensure that they are:

  • discover vulnerabilities
  • manage observability
  • implement vulnerability management processes

The Vulnerability Disclosure Programme helps teams to achieve these activities by providing a simple, standardised way for security researchers to report vulnerabilities in applications. The vulnerability management team will follow a quick and simple triage process to ensure the vulnerability is raised to the team for fixing as soon as possible.

How to sign up for DfE's VDP

Security.txt redirection

To take advantage of the disclosure and triaging of vulnerabilities, digital services can set the origin or submit a 308 redirect to the centrally hosted security.txt when they attempt to browse to the "standard location" for a security.txt file.

For example:

If a user on your site attempts to browse to https://your-app/.well-known/security.txt or https://your-app/security.txt then set the origin or do a 308 redirect to https://vdp.security.education.gov.uk/.well-known/security.txt.

Likewise, if they attempt to browse to https://your-app/thanks.txt then set the origin or do a 308 redirect to https://vdp.security.education.gov.uk/thanks.txt.

Example Terraform configuration

If you are using Terraform, you could create a CDN rule similar to the following:

resource "azurerm_cdn_frontdoor_rule" "security_txt_rule" {

  depends_on = [<DOMAINS/ORIGINS>]
  name                      = "securitytxtredirect"
  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.<ruleset_name>.id
  order                     = 1
  behavior_on_match         = "Continue"

  actions {

    url_redirect_action {
      redirect_type        = "PermanentRedirect"
      redirect_protocol    = "Https"
      destination_hostname = "vdp.security.education.gov.uk"
      destination_path     = "/.well-known/security.txt"
    }
  }

  conditions {
    url_filename_condition {
      operator         = "BeginsWith"
      match_values     = ["security.txt", "/.well-known/security.txt"]
      transforms       = ["Lowercase"]
    }
  }
}

A good example of a service implementing the above terraform redirect can be found on the teacher services terraform module repo security rules.

Ensure the VM team have your current contact information

To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent in, we ask that you provide a group email address to vulnerability.management@education.gov.uk so you can be contacted regardless of leavers/joiners processes.

Contributing to the security.txt or thanks.txt

The security.txt and thanks.txt files are deployed through Terraform to Azure Storage Blobs as a static site.

Raise a Pull Request (PR) against the repository if you want to suggest improvements to the files or deployment. A member of CISD will review and approve PRs, which will trigger a GitHub Actions pipeline to redeploy the changes.

If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under our acknowledgements page (thanks.txt). This can be done whether the notification was through the VDP or not. You can either request the change from the VM team or raise a PR directly.

Contributing

Refer to our GitHub repo contributing guidelines if you'd like to raise a bug or pull request to the security.txt or thanks.txt.