Details

Ministry of Defence Supply Chain VDP

Introduction

The Ministry of Defence understands the importance of protecting its Supply Chain and is working with a group of its suppliers to improve security practices. We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Highlights

Closed Scope: Only accepts reports based on the listed scope.
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
Coordinated Vulnerability Disclosure: Follows Standard Coordinated Vulnerability Disclosure practices.
Top Response Efficiency: This program's response efficiency is above 90%.

Response Times

Average time to first response: 9 hours
Average time to triage: 21 hours
Average time to resolution: 1 month, 11 hours

Overview

This program covers suppliers listed below who are part of UK Ministry of Defence's supply chain:

Mactaggart Scott
Inzpire
Thornton Tomasetti
Kahootz
L3Harris
Prolinx

We are only able to accept reports for the scope items listed in the scope section of the program.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Thank you for helping keep the Ministry of Defence Supply Chain and our users safe!

Program Highlights

Closed Scope: Only accepts reports based on the listed scope.

Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure: Follows Standard Coordinated Vulnerability Disclosure practices.

Top Response Efficiency: This program's response efficiency is above 90%.

Response Times

Average time to first response: 9 hours

Average time to triage: 21 hours

Average time to resolution: 1 month, 11 hours

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Only interact with accounts you own or with explicit permission of the account holder.

MOD Supply Chain VDP

MOD Supply Chain VDP

Details

Ministry of Defence Supply Chain VDP

Introduction

Program Highlights

Response Times

Overview

Disclosure Policy

Program Rules

Session Layer: HTTP Headers

Ministry of Defence Supply Chain VDP

Introduction

Program Highlights

Response Times

Overview

Disclosure Policy

Program Rules

Session Layer: HTTP Headers