Vulnerability Disclosure Guidance
Indiana University (IU) takes the security of its IT resources and institutional data very seriously. Through various means, we do our very best to ensure the confidentiality, integrity, and availability of the sensitive data in our care, and the IT resources where data is collected, stored or transmitted. However, we know even the best efforts from IU’s talented staff may not detect all possible issues. Therefore, we want security researchers to feel comfortable reporting vulnerabilities they have discovered, as set out in this guidance, so that IU’s software developers and systems administrators can take action to fix them and keep IU’s data and systems safe. Responsible researchers are welcome to provide constructive and well-intentioned reports, be they students, staff, faculty, or affiliates of Indiana University or a member of the public.
This guidance describes what systems and types of research are covered under this guidance, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.