Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what criteria his Department uses to determine good faith security research, as outlined in his Department’s Vulnerability Disclosure Policy.

The Department has two Vulnerability Disclosure Policies (VDPs) - the NHS COVID-19 App VDP, specifically for the NHS Test and Trace App and its supporting infrastructure and the NHSX VDP supporting the COVID-19 'Test, Track and Trace' programme of work.

The intention behind the reference to 'in good faith' is to support a mechanism for cooperation with security researchers with the aim to identify and quickly remediate reported vulnerabilities. As such, the research/ vulnerability disclosure must be carried out in an honest and sincere way with the intention of improving security and without affecting the safety, security and continuity of any data or service in accordance with the disclosure policy and consistent with the law.