This is the security guidance for all open-source repositories managed by the Secret Intelligence Service (SIS) which is also known as MI6. This explains how you should report vulnerabilities to SIS and what you may not do if you're testing our projects for vulnerabilities.

Within SIS we will quickly triage and assess reported vulnerabilities with our cyber security and information assurance teams.

Our open source projects are supported on a best endeavours basis. We'll patch to the latest version and not retrospectively, so please always make sure you're using our latest releases.

You can report a vulnerability in one of our open source repositories by raising an issue on GitHub. Alternatively, you can send an email to icds@gchq.gov.uk.

When reporting a vulnerability to us, please include:

• the website, page or repository where the vulnerability can be observed
• a brief description of the vulnerability
• details of the steps we need to take to reproduce the vulnerability
• non-destructive exploitation details

If you can, please also include:

• the type of vulnerability, for example, the OWASP category
• screenshots or logs showing the exploitation of the vulnerability

When you are investigating and reporting the vulnerability in one of SIS's open source repositories, or a website on the SIS domain or subdomain, you must not:

• break the law
• access unnecessary or excessive amounts of data
• modify data
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• try a denial of service - for example overwhelming a service on sis.gov.uk with a high volume of requests to disrupt sis.gov.uk services or systems
• tell other people about the vulnerability you have found until we have disclosed it
• social engineer, phish or physically attack our staff or infrastructure
• demand money to disclose a vulnerability