Vulnerability reporting guidelines
Vulnerability disclosure is the practice of reporting security flaws in computer software or hardware.
- Please do not share the vulnerability information beyond NESC and/or the National Cyber Security Centre (NCSC) without express consent from the owner.
- If you do not wish to report a vulnerability to NESC directly, please follow the NCSC’s guidance https://www.ncsc.gov.uk/information/vulnerability-reporting.
- Vulnerabilities reported to the Hacker One platform can be submitted without the need to create a Hacker One account. However, if you wish to be updated you should create an account.
- To submit your report, you will need to agree to the HackerOne Terms and Conditions and acknowledge that you have read their Privacy Policy and Disclosure Guidelines
- Once you have submitted the report, it will be assessed by NCC Group within five working days, and forwarded to the affected owners as soon as possible.
We will respond to you with an update about the reported vulnerability within 5 working days.