Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Vulnerability Monitoring Service

Author: Government Digital Service

Vulnerability Monitoring Service

The Vulnerability Monitoring Service (VMS), provided by the Government Digital Service (GDS), helps public sector organisations identify and respond to security vulnerabilities in your internet-facing digital services.

This is part of an extended service that builds on the monitoring already offered by DNS Check.

Benefits of using the VMS

The benefits of VMS include:

  • centrally funded with no cost to your organisation
  • proactive protection that detect vulnerabilities before attackers do
  • free outreach service and we will contact you if we detect critical vulnerabilities
  • extends monitoring provided by DNS Check
  • optional SIEM integration that feed alerts directly into your existing security tools
  • access to the domains knowledge base

What the VMS does

Once you register, GDS will monitor your digital environment and we will:

  • alert you to vulnerabilities and misconfigurations
  • support you to fix any issues
  • use automated and manual triage of the issues to help you prioritise critical issues

The service can find internet-facing vulnerabilities including:

  • web based vulnerabilities
  • exposed files, storage buckets and admin panels
  • misconfigurations
  • phishing domains
  • new and existing CVEs in applications like Microsoft Exchange and ServiceNow
  • software vulnerabilities like XSS and RCE
  • exposed API keys and passwords
  • open ports
  • IP addresses in untrusted locations

As the service evolves, new checks will be added based on user feedback, without disrupting your services.

When we add new checks to our service we will make sure they don’t harm the service being monitored.

Source and frequency of scanning

Current monitoring traffic originates from Detectify using the scanner.detectify.com with the dedicated IP addresses 52.17.9.21 and 52.17.98.131.

Please ensure you have notified the appropriate people to allow traffic from these IPs.

From time to time the IPs will change as we rotate in new suppliers and services. We will notify you of any changes.

The VMS makes multiple connections a day to services operating on your domains. It queries each service by host and IP address and each open port found.

Neither GDS nor your organisation can control the timing or cadence of the monitoring.

Impact on services

The VMS can generate a substantial amount of traffic but is within the volumes a modern service should be able to tolerate.

If your website or digital service is not configured to handle reasonable volumes of traffic it could encounter issues.

If your service is unable to handle this volume of traffic, it could already be vulnerable to a denial of service (DoS) attack.

How to register

We accept domains in any namespace, for example .gov.uk, .nhs.uk, or .org.uk, as long as you own the domain and can authorise monitoring of the services it operates.

Getting the VMS set up for your organisation is straightforward. Here’s how to get started:

  1. You will need to know what domains you own and are responsible for, to give GDS permission to access your domains.
  2. You will need to tell your organisation’s appropriate security and operations people about the monitoring before it is set up. This makes sure they understand where the extra traffic is coming from and do not block it.
  3. You should tell your service providers about the monitoring to make sure you are contractually allowed to include the VMS.

Start now

Once registered, GDS will begin monitoring your domains and alert you by email if any critical issues are found, along with guidance on how to fix them. If you’ve requested SIEM integration, we’ll also contact you to help set it up.

Share your zone files

To make sure we’re monitoring your full attack surface, you should share your zone files with our team.

This lets us keep an eye on all your domains and subdomains, helping ensure nothing is missed and reducing the risk of vulnerabilities going unnoticed.

Making changes after registering

If you need to make changes after registering, you will need to let us know by sending an email to support@domains.gov.uk or by submitting a new form.

Changes you might need to make include if you need to change the authoriser or add a new domain.

Contact us

If you need more information email support@domains.gov.uk

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now