Skip to main content

The MHCLG Way and its content is intended for internal use by the MHCLG community.

Vulnerability Disclosure and security.txt

Vulnerability Disclosure

TODO: Confirm with the MHCLG Cyber Security team that this guidance applies for all MHCLG services. (communities.gov.uk/security.txt redirects to the Cabinet Office security.txt so it probably does?)

MHCLG is part of a vulnerability disclosure programme with HackerOne and NCC Group to triage reports from security researchers. This is not a sign post for security researchers to ‘hack’ our systems; we advocate secure disclosure so we can find out about issues and fix them before they cause a security incident.

The public security policy is here: https://www.gov.uk/help/report-vulnerability

MHCLG services are within scope of this programme and should participate by:

  • publishing a security.txt
  • having a plan for how you would respond to a vulnerability notification (triage, escalation, etc.).

security.txt

A security.txt file is a way of telling researchers how to get in contact with us. As per the current policy, we only accept reports from services that have a security.txt file pointing to the security policy.

Cabinet Office/GDS have a central deployment of the security.txt file. The public alphagov/security.txt repo is where it’s maintained.

You should use https://vdp.cabinetoffice.gov.uk/.well-known/security.txt in either:

  • the origin for your site’s /.well-known/security.txt
  • the destination of a redirect for /.well-known/security.txt

A note on the redirect mechanism, try implementing in the following order to ensure the best capability with all user agents:

  1. Server-side redirect (302 status and Location header in response)
  2. Client-side HTML (meta http-equiv=refresh tag in the head)
  3. Client-side JavaScript redirect (window.location.href) - this won’t work if JavaScript is disabled, so you should display a link as well

As well as /.well-known/security.txt you may optionally configure /security.txt.

We do not recommend hosting the security.txt file yourself, but if you are hosting it yourself, you should host at /.well-known/security.txt and optionally /security.txt. You should use a text/plain content type and follow the current security.txt guidance.

thanks.txt

The central security.txt file contains an acknowledgements page, which is used for thanking researchers for valid reports. The page is a simple text file and is hosted at: https://vdp.cabinetoffice.gov.uk/thanks.txt

The thanks.txt file is also maintained in the alphagov/security.txt repo.

If your vulnerability report comes to the MHCLG Cyber Security team, the team will engage with the researcher and ask if they would like to be added to the page.

If you receive and manage a report directly and want to acknowledge a researcher, check with them first and ask which name they wish to have displayed.

This page was last reviewed on 28 July 2025. It needs to be reviewed again on 28 October 2025 by the page owner #mhclg-way .