Merge pull request #859 from Jonathan-Scott14/patch-11

Update vulnerability-disclosure.html.md.erb

source/standards/vulnerability-disclosure.html.md.erb

@@ -1,23 +1,26 @@
 ---
 title: Vulnerability Disclosure and security.txt
-last_reviewed_on: 2022-09-23
+last_reviewed_on: 2023-11-21
 review_in: 12 months
 ---
 # <%= current_page.data.title %>
 
 ## Vulnerability Disclosure
 
-In the Cabinet Office, including GDS, the [Cyber Security team] run a
+The [Cabinet Office Cyber Security team] runs a
 vulnerability disclosure programme with [HackerOne] and [NCC Group] to triage
-reports from security researchers.
+reports from security researchers. This is not a sign post for security researchers 
+to 'hack' our systems; we advocate secure disclosure so we can find out about issues
+and fix them before they cause a security incident.
 
-This is not a sign post for security researchers to 'hack' our systems; we want
-to advocate secure disclosure so we can find out about issues and fix them
-before they cause a security incident.
-
-GOV.UK hosts the security policy:
+The public security policy is here:
 <https://www.gov.uk/help/report-vulnerability>
 
+GDS services are within scope of this programme and should participate by:
+
+- publishing a [`security.txt`](#security.txt)
+- having a plan for how you would respond to a vulnerability notification (triage, escalation, etc.).
+
 ## security.txt
 A `security.txt` file is a way of telling researchers how to get in contact with
 us. As per the current policy, we only accept reports from services that have a
@@ -65,7 +68,7 @@ researcher, check with them first and ask which name they wish to have
 displayed.
 
 
-[Cyber Security team]: https://sites.google.com/cabinetoffice.gov.uk/cybersecurity
+[Cabinet Office Cyber Security team]: https://sites.google.com/cabinetoffice.gov.uk/cybersecurity
 [HackerOne]: https://www.hackerone.com
 [NCC Group]: https://www.nccgroup.com
 [security policy]: https://www.gov.uk/help/report-vulnerability