@Dennis www.govcertuk.gov.uk
govcertuk.gov.uk were the people that arranged for the websites to be fixed in the end, SANS took it seriously and made sure that the emails got through. The NHS was contracted to an American firm called CSC, the NICE website is not under the govcertuk.gov.uk's brief and so they did nothing about it even though it was demonstraed graphically that the guidelines to doctors could be altered.
SANS were the first people to take it seriously btw, politicians and civil servants an the media, were contacted, the webmaster ignored the emails. Since the Home Office issued a statement stating that xss exploits were "trivial" a week before the discovery of this, it wasn't until it wasn't pointed out that the public could be poisoned that govcertuk took it any notice at all and then they still had to go find the third party responsible for maintaining the website.
FAIL: the government not being able to spot this kind of risk to the British public
FAIL: the webmasters, politicians, civil servants, media who ignored it
FAIL: govcertuk not being able to pull the switch on the NICE guidelines for doctors (though good job on the NHS)
Philip.