Security Policy

regarding discovery and reporting of vulnerabilities

What NOT to report

Stuff that does NOT pose a threat to our systems as such.

So no clickjacking vulnerabilites, content spoofing, old cypher suits that are needed for backwards compatibilites etc...

No stuff concerning others impersonating us - users will click on anything without even checking a URL or email-address so we don't have to jump through hoops to remedy theoretical fraud vectors.

Data accessible over APIs that is already available on our public webpages.

What TO report

Vulnerabilites that DO pose a threat to our systems as such.

Unintendedly accessible data - so data that is not already available on our public webpages.

Hacks and exploits leading to actual access to data or rights on a system.

Possible Awards

As a public facility we can not grant bounty payments.

Given their consent we will be providing public credit and acknowledgements to the researchers

in our Hall of Fame for first reports of previously unknown vulnerabilities presenting a real risk to our systems.

Testing Requirements

During testing avoid disrupting our systems or destroying data - i.e. don't involve DoS attacks.

If a vulnerability provides unintended access to data, cease testing and submit a report immediately -

especially if You encounter Personally Identifiable Information (PII), any data owned by our staff or students

or any proprietary information.

Don't violate the privacy of others - don't disclose private information publicly.