certain book: document a vulnerability on an MOD equipment

record a Vulnerability

The Ministry of Defence (MOD) takes the protection of our programs significantly. in case you agree with you have got discovered a vulnerability on any MOD gadget, you could record the usage of the Hacker One: post a vulnerability record.

Vulnerability Disclosure policy

We suggest reading this disclosure policy absolutely before you record any vulnerabilities. This helps make sure that you remember the policy, and act in compliance with it.

We value those who make an effort and energy to record security vulnerabilities based on this policy. despite the fact, we don’t present fiscal rewards for vulnerability disclosures.

Reporting

in case you trust you have found a protection vulnerability relating to a MOD equipment, please post a vulnerability record to Hacker One.

in your submission, encompass particulars of:

  • the web site, IP or page where the vulnerability may also be observed
  • a short description of the type of vulnerability, as an instance an ‘XSS vulnerability’
  • steps to breed. These should still be a benign, non-harmful, proof of theory. This helps to be sure that the file can also be triaged instantly and accurately. It additionally reduces the likelihood of duplicate reviews, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

after you have submitted your report, we will respond to your report inside 5 working days and aim to triage your report inside 10 working days. We’ll additionally keep you advised about our development all over the technique by means of HackerOne in case you have registered for an account.

After the preliminary triage, precedence for remediation is assessed through looking on the affect, severity and exploit complexity. Vulnerability stories could make an effort to handle. you are welcome to enquire on the reputation however should still steer clear of doing so more than as soon as each 14 days. This permits our teams to focal point on the remediation.

we are able to notify you when the mentioned vulnerability is remediated, and you’ll be invited to confirm that the answer covers the vulnerability accurately.

as soon as your vulnerability has been resolved, we ask that you simply coordinate with us for any proposed public disclosure, so that we will unify suggestions to affected users.

guidance

You should no longer:

  • destroy any relevant legislation or regulation
  • access useless, excessive or big quantities of records. as an instance, 2 or 3 information is adequate to display most vulnerabilities, reminiscent of an enumeration or direct object reference vulnerability
  • regulate records in MOD systems or services
  • use excessive-intensity invasive or damaging scanning tools to discover vulnerabilities
  • attempt or file any form of denial of provider, for instance; overwhelming a provider with a excessive extent of requests
  • disrupt the MOD features or systems
  • post reports detailing non-exploitable vulnerabilities, or reports indicating that the features don’t wholly align with “superior follow”, as an instance lacking security headers
  • submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite assist or the presence of TLS1.0 assist
  • talk any vulnerabilities or associated details other than by capacity described during this policy
  • social engineer, ‘phish’ or physically attack the MOD team of workers or infrastructure
  • demand fiscal compensation with the intention to expose any vulnerabilities.

You should:

  • at all times agree to facts insurance policy rules and should now not violate the privacy of any information the MOD holds. You have to no longer, as an instance, share, redistribute or fail to accurately relaxed information retrieved from the programs or capabilities
  • securely delete all information retrieved right through your analysis as quickly as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as in any other case required by way of facts coverage legislations).

Legalities

This coverage is designed to be appropriate with usual vulnerability disclosure decent follow. It doesn’t give you permission to behave in any manner it truly is inconsistent with the law, or which may cause the MOD or partner companies to be in breach of any felony tasks.

This coverage doesn’t supply any sort of indemnity by the Authority or any third celebration for any movements if you’re in breach of the legislation and/or this policy.

The MOD affirms that it’s going to not are seeking prosecution of any protection researcher who stories any safety vulnerability on a MOD provider or equipment, the place the researcher has acted in respectable religion and in response to this disclosure policy.

posted 8 December 2020