Report a vulnerability

The Royal Household takes the security of our systems seriously. This page provides guidance on how to report a security vulnerability identified within any publicly accessible Royal Household website, system, application or infrastructure. 

Vulnerability Disclosure Policy

It’s highly recommended that you read this Vulnerability Disclosure Policy fully before you report a vulnerability. This helps ensure that you fully understand the policy and act in compliance with it. 

Reporting

If you have discovered a vulnerability within a Royal Household website, system, or application, please submit a vulnerability report using the HackerOne platform.

In your submission, include details of:

The website, IP or page where the vulnerability can be observed.

A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.

Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress. 

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. 

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Rules of Engagement

You must NOT:

Break any applicable laws or regulations.

Communicate any vulnerabilities or associated details other than by means described in the published security.txt.

Use high-intensity invasive or destructive technical security scanning tools, that could impact the quality of service of Royal Household infrastructure or services, to find vulnerabilities.

Engage in physical testing of facilities or resources or perform social engineering on The Royal Household.

Attempt or report any form of denial of service, for example, overwhelming a service with high volume requests.

Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support.

Demand financial compensation before or after disclosing any vulnerabilities.

You must also not disclose any vulnerability found within a Royal Household system, website or application to third parties or the public before The Royal Household has confirmed that those vulnerabilities have been mitigated or remediated. This is not intended to stop you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant, it’s to maintain confidentiality of communications and ensure Royal Household systems remain protected until the vulnerability has been remediated. 

You must:

Always comply with data protection rules and must not violate the privacy of The Royal Household users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.

Conform to the HackerOne Code of Conduct: https://www.hackerone.com/policies/code-of-conduct

Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause The Royal Household to be in breach of any of its legal obligations, including but not limited to:

The Computer Misuse Act (1990)

The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

The Copyright, Designs and Patents Act (1988)

The Official Secrets Act (1989)

The Royal Household will not seek prosecution of any security researcher who reports any security vulnerability in a Royal Household service or system where the researcher has acted in good faith and in accordance with this disclosure policy.

Related content

Press release 02 April 2024

Announcement of a new Governor-General of Australia

Read more
Press release 06 February 2024

A Statement from Buckingham Palace

Read more

Message from The King for the 2024 Royal Maundy Service

It is my special prayer today that Our Lord’s example of serving one another might continue to inspire us and to strengthen all our communities.

28 March 2024

The Queen's speech at a reception to mark the results of The Queen’s Reading Room study

We share a very special bond, ladies and gentlemen – our love of books. Thank you for helping to spread the word.

26 March 2024

Message from The King to mark the 70th anniversary of the end of the Korean War

It is our duty to remember what was once called “the Forgotten War”.

19 March 2024
About

The Duke and Duchess of Sussex

As announced in January 2020, The Duke and Duchess of Sussex have stepped back as working members of The Royal Family. The couple married in St George's Chapel, Windsor on 19 May 2018 and have two children: Prince Archie of Sussex and Princess Lilibet of
The Duke and Duchess of Sussex

A speech by Her Majesty The Queen at a reception to celebrate International Women’s Day and to mark the end of the WOW Girls Festival Bus tour

Let your lives be the stones that will shatter glass ceilings everywhere and inspire generations to come.

12 March 2024
News

Commonwealth Day 2024

11 March 2024
Commonwealth Day Service 2024

The King's Commonwealth Day Message 2024

The Commonwealth family is strongest when we are connected, through friendship.

11 March 2024

A speech by Her Majesty The Queen at the Grand Final of BBC's 500 Words, Buckingham Palace

Between you, you have created more than a million stories of thought-provoking adventure for future generations to study and enjoy. Thank you to everybody who has taken part...

28 February 2024

A message of condolence from The King to the President of Tanzania following the passing of former Tanzanian President, Ali Hassan Mwinyi

My thoughts and prayers are with former President Mwinyi’s family and the Tanzanian people at this time.

06 March 2024

A speech by The Duchess of Edinburgh, via video message, at the Restoration of the Conflict-Related Sexual Violence Survivors’ Rights Conference, Ukraine

We must stand shoulder to shoulder with all survivors to secure justice and holistic redress, and ensure that this crime isn’t an accepted part of conflict.

04 March 2024

The King's message marking two years of conflict in Ukraine

My heart goes out to all those affected, as I remember them in my thoughts and prayers.

24 February 2024