-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #35 from DFE-Digital/update-with-gov-uk-page
GOV.UK page and minor fixes to readme
- Loading branch information
Showing
2 changed files
with
7 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| # Vulnerability Disclosure Program | ||
| The [vulnerability disclosure program (VDP)](https://www.ncsc.gov.uk/information/vulnerability-disclosure-toolkit) is a project that DfE has been onboarding to with the help of NCSC. It involves a toolkit designed to help us make it easier for security researchers to contact the correct teams to report vulnerabilities they've discovered. | ||
|
|
||
| All information on [how to report a vulnerability to DfE as part of the VDP](https://www.gov.uk/guidance/report-a-vulnerability-on-a-department-for-education-system) have been posted to our GOV.UK site. | ||
|
|
||
| Security.txt file: [https://vdp.security.education.gov.uk/.well-known/security.txt](https://vdp.security.education.gov.uk/.well-known/security.txt) | ||
|
|
||
| Thanks.txt file: [https://vdp.security.education.gov.uk/thanks.txt](https://vdp.security.education.gov.uk/thanks.txt) | ||
|
|
@@ -51,16 +53,18 @@ resource "azurerm_cdn_frontdoor_rule" "security_txt_rule" { | |
| transforms = ["Lowercase", "RemoveNulls", "Trim"] | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Ensure the VM team have your current contact information | ||
| To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent to them ([email protected]), we ask that you provide a group email address to them so you can be contacted regardless of leavers/joiners processes. | ||
| To make sure that the VM team can contact the right people in your team within a reasonable time period after a disclosure has been sent in, we ask that you provide a group email address to [[email protected]](mailto:[email protected]) so you can be contacted regardless of leavers/joiners processes. | ||
|
|
||
| ## Contributing to the security.txt or thanks.txt | ||
| The security.txt and thanks.txt files are deployed through Terraform to Azure Storage Blobs as a static site. | ||
|
|
||
| Raise a Pull Request (PR) against the repository if you want to suggest improvements to the files or deployment. A member of CISD will review and approve PRs, which will trigger a GitHub Actions pipeline to redeploy the changes. | ||
| If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under our acknowledgements page (`thanks.txt`). This can be done whether the notification was through the VDP or not. You can either request the change from the VM team or raise a PR directly. | ||
|
|
||
| If a security researcher has requested a bounty, ensure you state that we do not provide monetary bounties but will be happy to list their name under [our acknowledgements page](https://vdp.security.education.gov.uk/thanks.txt) (`thanks.txt`). This can be done whether the notification was through the VDP or not. You can either request the change from the VM team or raise a PR directly. | ||
|
|
||
| ## Design decisions | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters