HMRC has published guidance about how to report a potential security issue in an HMRC online service and what information to provide.
The guidance highlights the seriousness with which HMRC takes the security of its online systems and states that it will investigate all reported vulnerabilities and take action where necessary.
Users of its services are asked to report any potential security issue as soon as possible and to avoid doing anything to exploit the vulnerability.
To help HMRC understand the nature and scope of the issue, if possible those reporting a problem should include the following information:
• the type of issue• the location of the bug or the relevant URL• a proof-of-concept or exploit code• the impact of the issue, including how an attacker could exploit it
To report a potential vulnerability, email vulnerability.reporting@hmrc.gsi.gov.uk.
