Report a security issue in an HMRC online service
Find out how to report a potential security issue or vulnerability in an HMRC online service and what information to provide.
If you think you’ve found a security issue in an HMRC online service you should:
- report it to us as soon as possible using the National Cyber Security Centre (NCSC) Vulnerability Reporting Service on their website
- avoid doing anything to exploit it
To help us understand the nature and scope of the issue, you will be asked about:
- the type of issue (for example, buffer overflow, SQL injection, cross-site scripting)
- a proof-of-concept or exploit code
- the location of the bug or the relevant URL
- the impact of the issue, including how an attacker could exploit it
What happens next
HMRC takes the security of online systems very seriously. We’ll investigate all reports and take action where necessary.
You will only receive an update for your report if you sign up to the NCSC platform.
Updates to this page
Published 18 April 2018Last updated 22 July 2024 + show all updates
-
Information about what you should do when you find a security issue in an HMRC online service has been updated.
-
The email address for reporting security vulnerabilities has been updated and information about encrypting an email before reporting a security vulnerability has been removed.
-
Welsh version of the guidance has been added.
-
Information for the National Cyber Security Centre Vulnerability Reporting Service added to the page.
-
First published.