Report a vulnerability

The Royal Household takes the security of our systems seriously. This page provides guidance on how to report a security vulnerability identified within any publicly accessible Royal Household website, system, application or infrastructure. 

Vulnerability Disclosure Policy

It’s highly recommended that you read this Vulnerability Disclosure Policy fully before you report a vulnerability. This helps ensure that you fully understand the policy and act in compliance with it. 


If you have discovered a vulnerability within a Royal Household website, system, or application, please submit a vulnerability report using the HackerOne platform.

In your submission, include details of:

The website, IP or page where the vulnerability can be observed.

A brief description of the type of vulnerability, for example an ‘XSS vulnerability’.

Steps to reproduce. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

What to expect

After you have submitted your report, we will respond to your report within 5 working days and aim to triage your report within 10 working days. We’ll also aim to keep you informed of our progress. 

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. 

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

Rules of Engagement

You must NOT:

Break any applicable laws or regulations.

Communicate any vulnerabilities or associated details other than by means described in the published security.txt.

Use high-intensity invasive or destructive technical security scanning tools, that could impact the quality of service of Royal Household infrastructure or services, to find vulnerabilities.

Engage in physical testing of facilities or resources or perform social engineering on The Royal Household.

Attempt or report any form of denial of service, for example, overwhelming a service with high volume requests.

Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS 1.0 support.

Demand financial compensation before or after disclosing any vulnerabilities.

You must also not disclose any vulnerability found within a Royal Household system, website or application to third parties or the public before The Royal Household has confirmed that those vulnerabilities have been mitigated or remediated. This is not intended to stop you from notifying a vulnerability to third parties for whom the vulnerability is directly relevant, it’s to maintain confidentiality of communications and ensure Royal Household systems remain protected until the vulnerability has been remediated. 

You must:

Always comply with data protection rules and must not violate the privacy of The Royal Household users, staff, contractors, services, or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.

Conform to the HackerOne Code of Conduct:

Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).


This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or that might cause The Royal Household to be in breach of any of its legal obligations, including but not limited to:

The Computer Misuse Act (1990)

The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018

The Copyright, Designs and Patents Act (1988)

The Official Secrets Act (1989)

The Royal Household will not seek prosecution of any security researcher who reports any security vulnerability in a Royal Household service or system where the researcher has acted in good faith and in accordance with this disclosure policy.

Related content

A speech by The Duchess of Edinburgh, via video message, at the Restoration of the Conflict-Related Sexual Violence Survivors’ Rights Conference, Ukraine

We must stand shoulder to shoulder with all survivors to secure justice and holistic redress, and ensure that this crime isn’t an accepted part of conflict.

04 March 2024

The King's message marking two years of conflict in Ukraine

My heart goes out to all those affected, as I remember them in my thoughts and prayers.

24 February 2024

A message from His Majesty The King to Grenada marking their 50th year of Independence

On the occasion of the fiftieth Anniversary of the Independence of Grenada, it gives me great pleasure to send you all my congratulations and warmest good wishes.

07 February 2024

A message from His Majesty The King for the launch of Big Help Out 2024

I have long believed that one of the greatest strengths of our nation is our ability to come together and help each other through times of hardship. Throughout my life, I have...

31 January 2024

The Queen's Introduction to Queen Mary's Dolls' House's Modern-Day Miniature Library

It has continued to enchant generations of children and adults who come to marvel at its perfect proportions, extraordinary attention to detail and, perhaps above all, the...

30 January 2024
Press release 29 January 2024

A statement from Buckingham Palace

Read more
Press release 26 January 2024

A message from The King on Holocaust Memorial Day 2024

Read more
Press release 25 January 2024

The King's Gold Medal for Poetry 2023

Read more

The Queen visits Swindon

22 January 2024
Queen Camilla smiles after unveiling a plaque during a visit to the Swindon Domestic Abuse Support Service's (SDASS) in Wiltshire, to mark the charity's 50th anniversary and highlight their work in support, prevention, education and early intervention, including work with perpetrators of domestic abuse.
Press release 17 January 2024

A statement from Kensington Palace

Read more

A message from His Majesty The King to Their Majesties King Frederik X and Queen Mary of Denmark

I look forward to working with you on ensuring that the enduring bond between our countries, and our families, remains strong, and to working together with you on issues which...

15 January 2024

The King's Christmas Broadcast 2023

And at a time of increasingly tragic conflict around the World, I pray that we can also do all in our power to protect each other.

25 December 2023