Skip to main content

Report a vulnerability on a Hampshire PCC domain or subdomain

A vulnerability is a technical issue with one of our websites which attackers or hackers could use to exploit the website and its users.

Vulnerabilities are covered by this policy if the security.txt file for the domain points to this page.

You will not be paid a reward for reporting a vulnerability (known as a ‘bug bounty’).

 

How to report a vulnerability

Include in your report:

  • the IP address and/or URL of the page where you found the vulnerability
  • a description of the type of vulnerability – for example, XSS vulnerability
  • details of the steps we need to take to reproduce the vulnerability
  • screenshots or logs if you have them

Email your report to opcc.comms@hampshire.police.uk.

 

Guidelines for reporting a vulnerability

When you are investigating and reporting the vulnerability on a Hampshire PCC domain or subdomain, you must not:

  • break the law
  • access unnecessary or excessive amounts of data
  • modify data
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • try a denial of service – for example overwhelming a service on GOV.UK with a high volume of requests
  • disrupt Hampshire PCC’s services or systems
  • tell other people about the vulnerability you have found until we have disclosed it
  • social engineer, phish or physically attack our staff or infrastructure
  • demand money to disclose a vulnerability

Only submit reports about exploitable vulnerabilities through the email address given.

Contact us to report other issues including:

  • a non-exploitable vulnerability
  • something you think could be improved – for example, missing security headers
  • TLS configuration weaknesses – for example weak cipher suite support or the presence of TLS1.0 support

 

Data protection

You must follow data protection rules when reporting a vulnerability. This means you cannot share any data you might retrieve from any Hampshire PCC domain or subdomain when researching the vulnerability.

You must keep the data secure until you delete it. You must delete the data as soon as we no longer need it or no later than 1 month after the vulnerability has been resolved – whichever comes first.

 

After you’ve reported the vulnerability

You’ll get updates on the progress fixing the vulnerability via the email address you submit from.

You’ll get confirmation that we have received your report within 5 working days. We’ll try to assess your report within 10 working days. We prioritise fixes by impact, severity and exploit complexity.

Once the vulnerability has been fixed, we can work with you to disclose and publish the report.

 

Last updated 22 April 2022

This site uses cookies

We use necessary cookies to make our site work, and we'd like to use analytics cookies to keep improving our website. Using this tool will set a cookie on your device to remember your preferences. For more information please see our Cookies Page.


Necessary Cookies

Necessary cookies enable core functionality. You may disable these by changing your browser settings, but this may affect how the website functions.


Google Analytics

We use cookies to compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future.