Merge pull request #35 from DFE-Digital/update-with-gov-uk-page

GOV.UK page and minor fixes to readme
DFE-Digital · Sep 25, 2024 · 07b5419 · 07b5419
2 parents 5cabd86 + 318b533
commit 07b5419
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,8 @@
 # Vulnerability Disclosure Program
 The [vulnerability disclosure program (VDP)](https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit) is a project that DfE has been onboarding to with the help of NCSC. It involves a toolkit designed to help us make it easier for security researchers to contact the correct teams  to report vulnerabilities they've discovered.
 
+All information on [how to report a vulnerability to DfE as part of the VDP](https://www.gov.uk/guidance/report-a-vulnerability-on-a-department-for-education-system) have been posted to our GOV.UK site.
+
 Security.txt file: [https://vdp.security.education.gov.uk/.well-known/security.txt](https://vdp.security.education.gov.uk/.well-known/security.txt)
 
 Thanks.txt file: [https://vdp.security.education.gov.uk/thanks.txt](https://vdp.security.education.gov.uk/thanks.txt)
@@ -51,16 +53,18 @@ resource "azurerm_cdn_frontdoor_rule" "security_txt_rule" {
       transforms       = ["Lowercase", "RemoveNulls", "Trim"]
     }
   }
+}
 ```
 
 ## Ensure the VM team have your current contact information
-To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent to them (vulnerability.management@education.gov.uk), we ask that you provide a group email address to them so you can be contacted regardless of leavers/joiners processes. 
+To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent in, we ask that you provide a group email address to [vulnerability.management@education.gov.uk](mailto:vulnerability.management@education.gov.uk) so you can be contacted regardless of leavers/joiners processes. 
 
 ## Contributing to the security.txt or thanks.txt
 The security.txt and thanks.txt files are deployed through Terraform to Azure Storage Blobs as a static site.
 
 Raise a Pull Request (PR) against the repository if you want to suggest improvements to the files or deployment. A member of CISD will review and approve PRs, which will trigger a GitHub Actions pipeline to redeploy the changes.
-If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under our acknowledgements page (`thanks.txt`). This can be done whether the notification was through the VDP or not.  You can either request the change from the VM team or raise a PR directly.
+
+If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under [our acknowledgements page](https://vdp.security.education.gov.uk/thanks.txt) (`thanks.txt`). This can be done whether the notification was through the VDP or not. You can either request the change from the VM team or raise a PR directly.
 
 ## Design decisions
 

diff --git a/security.txt b/security.txt
@@ -1,4 +1,4 @@
-Policy: https://github.com/ukncsc/Vulnerability-Disclosure/blob/master/UK-Government-Vulnerability-Disclosure-Policy.md
+Policy: https://www.gov.uk/guidance/report-a-vulnerability-on-a-department-for-education-system
 Contact: https://hackerone.com/41ff5198-0e21-4656-9f54-03cce570d7ff/embedded_submissions/new
 Acknowledgments: https://vdp.security.education.gov.uk/thanks.txt