Report a vulnerability

The Royal Household takes the security of our systems seriously. This page provides guidance on how to report a security vulnerability identified within any publicly accessible Royal Household website, system, application or infrastructure. 

Vulnerability Disclosure Policy

It’s highly recommended that you read this Vulnerability Disclosure Policy fully before you report a vulnerability. This helps ensure that you fully understand the policy and act in compliance with it. 

Reporting

If you have discovered a vulnerability within a Royal Household website, system, or application, please submit a vulnerability report using the HackerOne platform.

In your submission, include details of:

The website, IP or page where the vulnerability can be observed.

A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.

Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress. 

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. 

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Rules of Engagement

You must NOT:

Break any applicable laws or regulations.

Communicate any vulnerabilities or associated details other than by means described in the published security.txt.

Use high-intensity invasive or destructive technical security scanning tools, that could impact the quality of service of Royal Household infrastructure or services, to find vulnerabilities.

Engage in physical testing of facilities or resources or perform social engineering on The Royal Household.

Attempt or report any form of denial of service, for example, overwhelming a service with high volume requests.

Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support.

Demand financial compensation before or after disclosing any vulnerabilities.

You must also not disclose any vulnerability found within a Royal Household system, website or application to third parties or the public before The Royal Household has confirmed that those vulnerabilities have been mitigated or remediated. This is not intended to stop you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant, it’s to maintain confidentiality of communications and ensure Royal Household systems remain protected until the vulnerability has been remediated. 

You must:

Always comply with data protection rules and must not violate the privacy of The Royal Household users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.

Conform to the HackerOne Code of Conduct: https://www.hackerone.com/policies/code-of-conduct

Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause The Royal Household to be in breach of any of its legal obligations, including but not limited to:

The Computer Misuse Act (1990)

The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

The Copyright, Designs and Patents Act (1988)

The Official Secrets Act (1989)

The Royal Household will not seek prosecution of any security researcher who reports any security vulnerability in a Royal Household service or system where the researcher has acted in good faith and in accordance with this disclosure policy.

Related content

The Queen's speech at the launch of the Prix de L’Entente Littéraire at the Bibliothèque Nationale de France

Brigitte Macron and I share a deep love of literature and a passion to promote literacy: through our respective work, we have seen first-hand the life-changing power of books...

21 September 2023

The King's speech at the French Senate

Today, in confronting the greatest challenges of our time, we continue the work of those who came before us. When General de Gaulle spoke to the French people from London in...

21 September 2023

The King's speech during the State Banquet at Versailles

Mr. President, in all of this we can rely on our firm friendship, which is renewed and reinvigorated with each new generation.

20 September 2023
News

State Visit to France

20 September 2023
The King and Queen in Paris

The King's message of condolence following the devastation caused by Storm Daniel.

I admire greatly all those who are engaged tirelessly in the rescue efforts in such dire conditions, and praise their selfless bravery.

14 September 2023
Press release 06 September 2023

The King and Queen will undertake a State Visit to France

Read more

The King's message regarding the states of emergency declared in the Northwest Territories and British Columbia

Our admiration is unbounded for the tireless work of local officials, volunteers and first responders.

23 August 2023

The King's message to the Lionesses following the result of the World Cup final

To have reached the final at all is an immense tribute to your skill, determination and team spirit in the finest sporting tradition.

20 August 2023

The King's message to The Lionesses following their World Cup semi-final victory

Both teams have been an inspiration on and off the pitch – and, for that, both nations are united in pride, admiration and respect.

16 August 2023

The King's message to President Biden following the devastation caused by the wildfires in Hawai’i

Dear Mr. President, My wife and I were utterly horrified to hear of the catastrophic wildfires currently burning in Maui, Hawai’i. We can only begin to imagine the scale of...

12 August 2023
News

The Queen visits Norfolk

24 July 2023
The Queen visits Norfolk