This is the security notice for all DfE (Department for Education) repositories. The notice explains how vulnerabilities should be reported to the DfE. At the DfE there are cyber security and information assurance teams, as well as security-conscious people within the programmes, that assess and triage all reported vulnerabilities.
The Department for Education is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.
Send details to opensource@digital.education.gov.uk, including:
- the website, page or repository where the vulnerability can be observed
- a brief description of the vulnerability
- optionally, the type of vulnerability and any related OWASP category
- non-destructive exploitation details
The following are not in scope:
- volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
- reports indicating that our services do not fully align with "best practice", for example missing security headers
If you are not sure, you can still contact us via email at opensource@digital.education.gov.uk.
Unfortunately, the DfE doesn't offer a paid bug bounty programme. The DfE will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.
The DfE has a contributors code of conduct, which you can find here: CODE_OF_CONDUCT.md