The Cabinet Office has awarded a six-figure contract for a supplier to triage the hundreds of vulnerabilities identified on government websites by expert researchers each year.
The department’s Government Security Group unit is taking over responsibility for a Vulnerability Reporting Service (VRS) that was previously housed in the GCHQ-based National Cyber Security Centre and operated on a trial basis.
The transition into a long-term platform run from Whitehall – by a newly created Government Cyber Coordination Centre (GC3) – was first proposed in the Government Cyber Security Strategy published in 2022. According to commercial documents published by the Cabinet Office, the VRS is intended to “coordinate vulnerability disclosure across the government by establishing a central” hub for reports.
The service provides an online means for cyber researchers to tell government about vulnerabilities they have identified. According to the Cabinet Office, in 2022 the system “received 989 valid reports and helped to remediate 440 vulnerabilities across 237 individual UK government organisations”. About four in five vulnerabilities identified via the reporting process were considered to be of “critical” or “high” severity.
A key part of this process is the initial triage stage. This process requires the VRS team to “establish that reported severity and impact are realistic and accurate, and ensure correct prioritisation and escalation”. Once a vulnerability has been triaged, Cabinet Office security professionals may then “encourage and, [where] necessary, mandate departments to fix vulnerabilities”.
The department aims to provide these reports to departments within one week of the vulnerability being reported.
Cyber services firm Loqiq Consulting has been appointed to an initial one-year contract to fulfil the triage procedure. The company entered into an agreement with the Cabinet Office at the start of this month. The deal will be worth £227,774 – or double this amount, if the department decides to take advantage of an optional one-year extension.
Given the nature of the engagement, the agreement places some additional security requirements on the supplier – beyond standard government contractual terms. This includes going through annual IT health checks and the use of a “protective monitoring system”. The company, and any subcontractors working on its behalf, is also obligated to ensure all government data is encrypted.
The contract notice indicated that Logiq may be required to deliver as many as 200 triage reports each month and will be expected to support the Government Security Group in maintaining the current service levels of resolving 70% of issues within 30 days, and an overall remediation rate of at least 90%.
“The GC3 is being developed to focus upon cross government data sharing and analysis of data to inform decision making,” the notice added. “The VRS is a key component of providing GC3 with the data and processes to improve resilience to public facing services and systems across government, and establishment of the VRS was included as a key deliverable within the [Government Cyber Security’] strategy.
"Failure to maintain a VRS for government organisations presents an unacceptable level of operational and reputational risk. If we do not offer the ability for external researchers to report vulnerabilities once identified, we risk these being exploited by malicious attackers; 80% of vulnerabilities reported in 2022 were rated ‘critical’ or ‘high’ severity, meaning that the likelihood of exploitation and the impact once exploited would have been very significant. We also risk significant reputational damage if researchers choose to release their findings into the public domain.”
The service advises those filing a vulnerability report that they “are welcome to enquire on the status but should avoid doing so more than once every 14 days, [as ] this allows our teams to focus on the remediation”.
“We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately,” the service’s homepage states. “Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.”