Vulnerability policy

A vulnerability refers to a technical flaw within a service that could be leveraged by malicious individuals or hackers to compromise the service and its users.

Vulnerabilities fall under the scope of this policy when the security.txt file associated with the domain directs to this page.

Please note that as a public sector organisation we are unable to offer financial reward for reports.

How to submit a vulnerability report

Email vulnerability@coventry.gov.uk.

It would be helpful if the report contained some of the following information:

  1. The IP address and/or URL where the vulnerability was discovered.
  2. A clear description of the vulnerability type, such as an XSS vulnerability.
  3. Comprehensive instructions on how to replicate the vulnerability.
  4. If available, include screenshots or log files as supporting evidence.

Guidelines for reporting a vulnerability

When conducting an investigation and reporting a vulnerability on Coventry.gov.uk domain or subdomain, it is essential to adhere to the following guidelines:

  1. Do not engage in any illegal activities.
  2. Avoid accessing excessive or unnecessary data.
  3. Refrain from altering any data.
  4. Do not employ highly intrusive or destructive scanning tools in your quest for vulnerabilities.
  5. Do not attempt any form of denial of service, such as overwhelming Coventry.gov.uk services with an excessive volume of requests.
  6. Do not disrupt or impair Coventry.gov.uk services or systems.
  7. Refrain from disclosing the vulnerability to others until we have officially disclosed it.
  8. Do not engage in social engineering, phishing, or physical attacks against our staff or infrastructure.
  9. Do not request money in exchange for revealing a vulnerability.

We also welcome reports of non-exploitable vulnerabilities or areas that you believe could benefit from enhancement. This could encompass issues such as:

  • Missing security headers.
  • Weaknesses in TLS configuration, such as inadequate cipher suite support or the presence of TLS 1.0 support.

Data protection

When reporting a vulnerability, it is imperative to adhere to data protection regulations. This entails refraining from sharing any data obtained from Coventry.gov.uk during the vulnerability assessment process.

You are required to maintain the security of this data and ensure its deletion either when it is no longer necessary or, at the latest, within one month after the vulnerability has been successfully addressed, whichever occurs first.

After you’ve reported the vulnerability:

  • You will receive regular updates regarding the progress made in addressing the vulnerability.
  • Within a span of five working days, you will receive confirmation acknowledging the receipt of your report. We aim to evaluate your report within a maximum of ten working days. Our assessment and prioritization process takes into account factors such as impact, severity, and exploit complexity.
  • Upon successful resolution of the vulnerability, we can collaborate with you to determine the appropriate steps for disclosing and publishing the report.
View a print version