User Tools

Site Tools


ict:responsible-disclosure

This is an old revision of the document!


Responsible disclosure

If you want to report a 'regular' bug, not related to security, please do so using our issue tracker.

We are committed to keeping the IT environment of S.A. Proto secure. This is why we ask you, if you find any bug and/or vulnerability related to the security of the IT environment of S.A. Proto, to:

  • disclose the bug to us, via security@proto.utwente.nl, as soon as you confirm its existence;
  • not make any use of the bug and/or vulnerability beyond what is necessary to confirm it;
  • only access your own data to confirm the bug and/or vulnerability, where possible;
  • not publicly disclose the bug and/or vulnerability until we have had a chance to correct it.

If these conditions are adhered to, we promise in return:

  • to reply to your e-mail within 2 business days, and within 7 business days within the academic holidays of the University of Twente;
  • to fix the vulnerability within at most 31 days after we process your e-mail;
  • to give you credit for disclosing the bug and/or vulnerability;
  • to allow you to publicly disclose the bug and/or vulnerability after we have fixed it, if you so wish;
  • to not press any criminal charges.

Please keep in mind that this IT environment is run by volunteering students. While we take security incidents very serious, we don't have a dedicated, full-time team watching our security mailbox.

PGP keys

Should you wish to encrypt your e-mail towards us you can use any of the PGP keys below:

Hall of Fame ๐Ÿ†

The following people have already responsibly disclosed a security vulnerability in our website. A huge thanks to them! ๐Ÿ‘๐Ÿฝ

  • Wouter Kobes disclosed that it was possible for any user to change the profile photo of any other user on March 15, 2018.
  • Someone disclosed an XSS vulnerability in one of our API endpoints on May 25, 2018.
ict/responsible-disclosure.1527255161.txt.gz ยท Last modified: 2018/05/25 15:32 by jonathan