At Digital Catapult, we take the security of our systems and data seriously. We appreciate the efforts of the security community to help us identify and address vulnerabilities. If you discover a security vulnerability, we encourage you to report it to us in a responsible manner.

To report a security vulnerability, please use the following contact method:

Email: opensource@digitalcatapult.org.uk Using the following pgp key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZmgnrhYJKwYBBAHaRw8BAQdARmL0Xk4KjdoL/4tPzA4q12ykhY4AhKG9/zXC
rXuqfX60TURpZ2l0YWwgQ2F0YXB1bHQgKE9wZW4gU291cmNlIFNlY3VyaXR5IFRl
YW0pIDxvcGVuc291cmNlQGRpZ2ljYXRhcHVsdC5vcmcudWs+iJMEExYKADsWIQRY
jqSOKJ/4AI0CX5j+YID+/Xs8rgUCZmgnrgIbAwULCQgHAgIiAgYVCgkICwIEFgID
AQIeBwIXgAAKCRD+YID+/Xs8rjaZAP9Hb4fw5VSPvkE1CR9z3dlGKptBfkkUfPLw
1llsz2ix2wD+NjC4ppSJGntaS6cKZcifaoARLXn2nWB2/iXii5q+wg64OARmaCeu
EgorBgEEAZdVAQUBAQdAY6Y48WZP2+mj9S4BaRHpjZJ33kboV6nxrTdKzMW6yGAD
AQgHiHgEGBYKACAWIQRYjqSOKJ/4AI0CX5j+YID+/Xs8rgUCZmgnrgIbDAAKCRD+
YID+/Xs8rvTEAP9CcnAvDV7PzhTU/9xi0XKdJ0eo5W07HJ4k7geoSu+6mwEA9eA9
MlupZK7aPERhB0FflzR6rMNpp8tNIC1ZdR9WqA4=
=FhJq
-----END PGP PUBLIC KEY BLOCK-----

When reporting a vulnerability, please include the following information:

1. A description of the vulnerability and its potential impact.
2. Detailed steps to reproduce the vulnerability.
3. Any potential mitigation steps we can take.
4. Your contact information (optional), so we can reach out if we need further information.

• We will acknowledge receipt of your vulnerability report within 3 business days.
• We will work with you to understand and resolve the issue as quickly as possible.
• We will keep you informed of the status of your reported vulnerability.
• We will credit you as the reporter of the vulnerability if you desire, or keep your report anonymous if you prefer.

We follow the principles of responsible disclosure as outlined in the following resources:

• OWASP Vulnerability Disclosure Cheat Sheet

The scope of our responsible disclosure policy includes:

• All public-facing web applications and services.
• All software made available by Digital Catapult that has not been publicly archived or is tagged as "non-production".
• Any other services operated by Digital Catapult that process or store sensitive information.

The following types of issues are outside the scope of our responsible disclosure policy:

• Social engineering attacks (e.g., phishing).
• Denial of service attacks.
• Physical security vulnerabilities.

We believe in mutual transparency and cooperation. If a vulnerability report affects other organizations, we will work with them to ensure they are aware and can take appropriate action. Similarly, if a vulnerability in another organization’s product affects us, we expect to be informed so we can protect our systems and users.

To encourage responsible disclosure, we will not take legal action against individuals who report vulnerabilities to us in good faith and comply with this responsible disclosure policy.

If you have any questions or need further assistance, please contact us at:

Email: opensource@digitalcatapult.org.uk

Thank you for helping us keep Digital Catapult secure.