The Defence Digital Digital Standards Policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.
The Defence Digital Digital Standards team takes security vulnerabilities in the MOD.UK Design System seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
The below table details which versions of the MOD.UK Design System are supported with bug fixes and security updates:
Version | Supported |
---|---|
2.x | ✅ |
1.x | ❌ |
Version and release note documentation
Please report vulnerabilities to us using the guidelines outlined below.
To report a security issue, email [email protected] include the word "SECURITY" in the subject line.
Please include:
- Your name and affiliation (if any)
- A brief description of the vulnerability
- The website page or repository component where the vulnerability exists
- Steps to identify the vulnerability. It is important that we can reproduce your findings.
- Optionally the type of vulnerability and any OWASP category
The Defence Digital Digital Standards team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include Cross-site scripting (XSS), Server-side code injection (SSI), Cross-site request forgery (CSRF), Server-side request forgery (SSRF), Remote code execution (RCE), Sensitive data exposure and privilege escalation.
The following are not in scope: volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
We recommend following the OWASP guidance for developing secure Node.js applications
We will publish here any known security improvements we have not got to yet. We welcome contributions.
Defence Digital Digital Standards security policy version 1.1.0