Report a vulnerability on a Companies House system
How to report a security vulnerability on a Companies House service or system.
Read this vulnerability disclosure policy fully before you report a vulnerability. You should always act in compliance with this policy.
This policy applies to any vulnerabilities you鈥檙e considering reporting to Companies House.
We value those who take the time and effort to report security vulnerabilities in line with this policy. However, we do not offer monetary rewards for vulnerability disclosures.
Report a vulnerability
If you believe you have found a security vulnerability .
In your report, you must include details of:
-
the website, IP or page where鈥痽ou have found鈥痶he vulnerability
-
a鈥痓rief description of the type of vulnerability, for鈥痚xample,鈥€榅SS vulnerability鈥欌€�
-
steps to reproduce
The steps to reproduce should be a benign, non-destructive proof of concept. This helps to make sure that we can triage the report quickly and accurately. It also reduces the chances of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.
Guidance鈥痜or reporting a vulnerability鈥€�
鈥痀ou must鈥痭ot:鈥€�
- break any law or regulations
- access unnecessary, excessive or significant amounts of data
- modify data in Companies House鈥檚 systems or services
- use high-intensity invasive or destructive scanning tools to find vulnerabilities
- attempt or report any form of denial of service, for example, overwhelming a service with a high volume of requests
- disrupt Companies House鈥檚 services or systems
- submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with 鈥榖est practice鈥�, for example missing security headers
- submit reports detailing TLS configuration weaknesses, for example 鈥榳eak鈥� cipher suite support or the presence of TLS1.0 support
- communicate any vulnerabilities or associated details other than by means described in the published security.txt
- social engineer, 鈥榩hish鈥� or physically attack Companies House鈥檚 staff or infrastructure
- demand financial compensation to disclose any vulnerabilities
- publicly disclose any resolved vulnerability report without prior written consent from Companies House
You must:鈥€�
- securely delete all data retrieved during your research as soon as it鈥檚 no longer needed or within 1 month of the vulnerability being resolved - whichever occurs first, or as otherwise required by data protection law
- always comply with data protection rules and not violate the privacy of Companies House鈥檚 users, staff, contractors, services or systems - for example, you must not share, redistribute or fail to properly secure data retrieved from the systems or services
What to expect after you have submitted your report鈥€�
We鈥檒l respond to your report within 5 working days. We鈥檒l aim to triage your report within 10 working days. We鈥檒l also aim to keep you informed of our progress.鈥€�
We assess the priority for remediation by looking at the:
- impact
- severity
- exploit complexity
Vulnerability reports might take some time to triage or address. You鈥檙e welcome to ask about the status but do not ask more than once every 14 days. This gives our teams time to focus on the remediation.鈥€�
We鈥檒l notify you when your reported vulnerability is remediated. We might invite you to confirm that the solution covers the vulnerability adequately.鈥�
尝别驳补濒颈迟颈别蝉鈥赌�
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any way that鈥檚 inconsistent with the law or might cause Companies House鈥痮r our partner organisations to be in breach of any legal obligations.鈥�
If a third-party initiates legal action against you and you have complied with this policy, we can take steps to make it known that your actions complied with this policy.鈥�