Report a vulnerability

The Royal Household takes the security of our systems seriously. This page provides guidance on how to report a security vulnerability identified within any publicly accessible Royal Household website, system, application or infrastructure. 

Vulnerability Disclosure Policy

It’s highly recommended that you read this Vulnerability Disclosure Policy fully before you report a vulnerability. This helps ensure that you fully understand the policy and act in compliance with it. 

Reporting

If you have discovered a vulnerability within a Royal Household website, system, or application, please submit a vulnerability report using the HackerOne platform.

In your submission, include details of:

The website, IP or page where the vulnerability can be observed.

A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.

Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress. 

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. 

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Rules of Engagement

You must NOT:

Break any applicable laws or regulations.

Communicate any vulnerabilities or associated details other than by means described in the published security.txt.

Use high-intensity invasive or destructive technical security scanning tools, that could impact the quality of service of Royal Household infrastructure or services, to find vulnerabilities.

Engage in physical testing of facilities or resources or perform social engineering on The Royal Household.

Attempt or report any form of denial of service, for example, overwhelming a service with high volume requests.

Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support.

Demand financial compensation before or after disclosing any vulnerabilities.

You must also not disclose any vulnerability found within a Royal Household system, website or application to third parties or the public before The Royal Household has confirmed that those vulnerabilities have been mitigated or remediated. This is not intended to stop you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant, it’s to maintain confidentiality of communications and ensure Royal Household systems remain protected until the vulnerability has been remediated. 

You must:

Always comply with data protection rules and must not violate the privacy of The Royal Household users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.

Conform to the HackerOne Code of Conduct: https://www.hackerone.com/policies/code-of-conduct

Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause The Royal Household to be in breach of any of its legal obligations, including but not limited to:

The Computer Misuse Act (1990)

The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

The Copyright, Designs and Patents Act (1988)

The Official Secrets Act (1989)

The Royal Household will not seek prosecution of any security researcher who reports any security vulnerability in a Royal Household service or system where the researcher has acted in good faith and in accordance with this disclosure policy.

Related content

The King's speech at at Government House, Bermuda

Returning to Bermuda on this occasion has been a particular joy, and especially to celebrate anew all those who have contributed to its history, and those now shaping its...

01 May 2026

A speech by The King on the Presentation of New Colours to the Royal Marines, Windsor Castle

It is most heartening to see the representatives of some of our oldest and closest international allies and partners present on this very special occasion. I can only pray...

05 June 2026

The King's remarks at the Gurkha Artillery Formation Parade, Larkhill

This occasion marks not simply the union of two distinguished institutions, but a powerful reaffirmation of the enduring and deeply valued relationship between the United...

04 June 2026

A speech by The Queen at the Founder's Day Parade, Royal Hospital Chelsea

You offer care, camaraderie and community to those men and women who have served our nation, while always upholding the highest of standards.

04 June 2026

Remarks by The King at 'A King's Trust Celebration' at the Royal Albert Hall

You'll all make a huge difference to this country and many others.

18 May 2026
News

The King visits Bermuda

01 May 2026
The King in Bermuda

A speech by His Majesty The King at the White House State Dinner, Washington

Tonight, we are here to renew an indispensable alliance which has long been a cornerstone of prosperity and security for both British and American citizens. Our people have...

29 April 2026

The King’s Address to the Joint Meeting of Congress in Washington

The Alliance that our two Nations have built over the centuries – and for which we are profoundly grateful to the American people – is truly unique.

28 April 2026

The King’s message to commemorate the 100th anniversary of the birth of Queen Elizabeth II

Queen Elizabeth’s ‘promise with destiny kept’ shaped the world around her and touched the lives of countless people across our nation, the Commonwealth and beyond.

20 April 2026

The King's letter to Colonel Jeremy Hansen ahead of the launch of the Artemis II mission

It is with immense pride and a profound sense of shared purpose that I write to you as you prepare to embark upon the Artemis II mission.

31 March 2026

A Speech by The Queen at a Literary Reception to mark the fifth anniversary of Her Majesty's Reading Room

I find it hard to believe that it is five years since I founded it, at the height of lockdown, with the simple aim of sharing my lifelong conviction that books make life...

25 March 2026
News

Royal Maundy 2026

02 April 2026
Royal Maundy 2026

The King's speech at the Nigeria State Banquet

We in the United Kingdom are blessed that so many people of Nigerian heritage, having chosen Britain as their home, are now at the heart of British life through excelling at...

18 March 2026

The Queen's speech at a WOW reception to mark International Women's Day

Every woman has a story. And these stories must be told. Because when we live in a culture of silence, we empower violence against women and girls.

10 March 2026
News

Commonwealth Day 2026

12 March 2026
Members of The Royal Family attend The Queen Elizabeth Prizes for Education

The King's Commonwealth Day Message 2026

Working together, we can ensure that the Commonwealth continues to stand as a force for good – grounded in community, committed to the kind of restorative sustainability that...

08 March 2026