The vulnerability disclosure program (VDP) is a project that DfE has been onboarding to with the help of NCSC. It involves a toolkit designed to help us make it easier for security researchers to contact the correct teams to report vulnerabilities they've discovered.
To make reporting vulnerabilities easier, the toolkit suggests:
- forms of communication - we have a Hackerone vulnerability disclosure link that goes directly to the vulnerability management (VM) team
- a clear policy on what we expect from someone reporting a vulnerability and how we will respond
- a security.txt file that can be published for all web services at the standard location (
/.well-known) – DfE’s Cyber and Information Security division (CISD) have deployed a security.txt file linking to our communication options and also a thanks.txt file that gives acknowledgements to researchers
The idea is based on the GDS/Cabinet Office centrally hosted PaaS project for VDP. As PaaS has been decommissioned, this project will be hosted on an Azure Storage static site.
To take advantage of the disclosure and triaging of vulnerabilities, digital services can set the origin or submit a 302 redirect to the centrally hosted security.txt when they attempt to browse to the "standard location" for a security.txt file.
For example:
If a user on your site attempts to browse to https://your-app/.well-known/security.txt or https://your-app/security.txt then set the origin or do a 302 redirect to https://vdp.security.education.gov.uk/.well-known/security.txt.
Likewise, if they attempt to browse to https://your-app/thanks.txt then set the origin or do a 302 redirect to https://vdp.security.education.gov.uk/thanks.txt.
If you are using Terraform, you could create a CDN rule similar to the following:
resource "azurerm_cdn_frontdoor_rule" "security_txt_rule" {
depends_on = [<DOMAINS/ORIGINS>]
name = "security_txt_redirect"
cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.<ruleset_name>.id
order = 1
behavior_on_match = "Continue"
actions {
url_redirect_action {
redirect_type = "Found"
redirect_protocol = "Https"
destination_hostname = "vdp.security.education.gov.uk"
destination_path = "/.well-known/security.txt"
}
}
conditions {
url_filename_condition {
operator = "Equal"
match_values = ["security.txt"]
transforms = ["Lowercase", "RemoveNulls", "Trim"]
}
}
To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent to them (vulnerability.management@education.gov.uk), we ask that you provide a group email address to them so you can be contacted regardless of leavers/joiners processes.
The security.txt and thanks.txt files are deployed through Terraform to Azure Storage Blobs as a static site.
Raise a Pull Request (PR) against the repository if you want to suggest improvements to the files or deployment. A member of CISD will review and approve PRs, which will trigger a GitHub Actions pipeline to redeploy the changes.
If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under our acknowledgements page (thanks.txt). This can be done whether the notification was through the VDP or not. You can either request the change from the VM team or raise a PR directly.
The site will be:
- deployed by Terraform
- use GitHub actions for CI/CD
- changes can be made through a pull request
- files to be hosted in Azure Storage
Refer to our contributing guidelines if you'd like to raise a bug or pull request.