Report an online security vulnerability

If you think you’ve found a security vulnerability on our website or an online service please report it.

Read the guidance and rules before submitting your report.

We don’t offer payment for vulnerability reports.

Thank you for helping to improve our security.

How to report a vulnerability

Use the button to report it to the Scottish Cyber Coordination Centre on the HackerOne platform.

Please include:

website address, page or IP address where you found the issue
short description of the vulnerability (for example: “XSS vulnerability”)
steps to reproduce the issue - these should be safe, non-destructive and proof of concept only.

Report a vulnerability

What happens next

You will receive a response within 5 working days.
Your report should usually be reviewed and prioritised within 10 working days.
You will be updated as the investigation progresses.

Vulnerabilities are based on impact, severity and complexity. Some reports may take longer to investigate or fix.

You can ask for an update, but please wait at least 14 days between enquiries.

You will be told when the issue is fixed and you may be asked to confirm the solution.

Once the issue has been fixed, you can ask us if you’d like to share your findings publicly. Please coordinate any public release with us so we can give consistent guidance to users.

Rules for reporting

You must not:

break any laws or regulations
access unnecessary or excessive data
modify data in our systems or services
use destructive or high-intensity scanning tools
attempt denial-of-service attacks
disrupt our services or systems
report minor TLS configuration issues
share vulnerability details except through the method described here
social-engineer, “phish” or physically attack staff or infrastructure
demand payment in exchange for reporting a vulnerability.

You must:

follow all data protection rules
avoid accessing or sharing personal data
securely delete any data you collected during testing once no longer required, or within 1 month of the fix.

Legal information

This process is designed to be compatible with common vulnerability disclosure good practice.

It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Midlothian Council or partner organisations to be in breach of any of its legal obligations.

However if legal action is initiated by a third party against you and you have complied with this process, we can take steps to make it known that your actions were conducted in compliance with this process.

Contact

Email: helpdesk@midlothian.gov.uk

Is there anything wrong with this page?

Help us improve our site

Having problems submitting this form?