Vulnerability Disclosure Guidance

Vulnerability Disclosure Guidance

Indiana University (IU) takes the security of its IT resources and institutional data very seriously. Through various means, we do our very best to ensure the confidentiality, integrity, and availability of the sensitive data in our care, and the IT resources where data is collected, stored or transmitted. However, we know even the best efforts from IU’s talented staff may not detect all possible issues. Therefore, we want security researchers to feel comfortable reporting vulnerabilities they have discovered so that IU’s software developers and systems administrators can take action to fix those vulnerabilities and keep IU’s data and systems safe. Responsible researchers—whether students, staff, faculty, affiliates of IU, or members of the public—are welcome to provide constructive and well-intentioned reports.

This guidance describes what systems and types of research are covered under this guidance, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Guidelines

IU expects that researchers shall:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to any IT systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access with or without persistence, or use the exploit to "pivot" to other systems. Once you have established that a vulnerability exists, or encounter any of the sensitive data outlined below, you must stop your test and immediately report the vulnerability according to the reporting instructions below.
• Keep any information about discovered vulnerabilities confidential for at least 90 calendar days after you have notified IU through the channels detailed in this document. Additional time might be needed before you disclose some or all information about discovered vulnerabilities after we have established communications with you. See the Coordinated Disclosure section below for more details.
• Stop testing and notify the UISO immediately if you encounter any of the following that you do not have explicit authorization to access:
  • Personally Identifiable Information (PII).
  • Passwords (e.g. to accounts, services, encryption keys, or other secrets).
  • Visa or immigration information.
  • State ID, Driver’s license, or passport numbers.
  • Financial information (e.g. credit card or bank account numbers, tax form data, Social Security Numbers).
  • Proprietary information or trade secrets.
  • Any data that is classified as University-Internal, Restricted or Critical by IU according to the Data Classification Matrix.

Scope

This guidance applies to the following systems:

• Any device with an A or AAAA DNS record in an IU authoritative domain is in scope. Any other device, even if it is using an IU IP address, is out of scope.
• If you are not sure whether a system or endpoint is in scope, contact the University Information Security Office (UISO) at uiso@iu.edu before starting or continuing your research.
• The following test types are not authorized:
  • Physical testing (e.g. office access, open doors, tailgating, etc).
  • Social engineering (e.g. phishing, vishing, etc).
  • Network or service denial of service (DoS or DDoS) tests.
  • Any testing that has a likelihood of exposing sensitive data, degrading user experience, disrupting any IT systems, or destroying or manipulating data.
  • Any other non-technical vulnerability testing.
  • Any form of testing prohibited by law.

Reporting a vulnerability

The UISO accepts and discusses non-emergency vulnerability reports via email to uiso@iu.edu. If you believe reporting a specific vulnerability is an emergency, report it on this web page. Note: We do not currently support S/MIME or PGP-encrypted emailed reports. If you require certain details to be sent encrypted, contact us to make arrangements.

Reports should include:

• Description of the location and potential impact of the vulnerability. UISO requires at least the inclusion of the DNS A or AAAA record and IP address.
• A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Use extreme care to properly label and protect any exploit code.
• Any technical information and related materials needed to reproduce the issue.
• Reliable contact information for us to contact you unless you are providing an anonymous report. Although anonymous reports are accepted, we strongly encourage you to provide contact information. If you decide to report anonymously then you may not disclose the discovered vulnerabilities yourself until IU discloses it publicly, and we will not be able to credit you for your efforts.
• Your IU assigned email address if you are an IU student, staff, facility, or affiliate. You are required by Indiana University policy ISPP-26 to report security incidents or issues.

Please keep your vulnerability reports current by sending us any new information as it becomes available.

We may share your vulnerability reports with trusted third parties, as well as any affected vendors or open-source projects. If you wish, we will credit your discovery to you by name to the vendor or open-source project. If you wish to remain anonymous, you will be credited as “a third party who asked to be anonymous” or similar.

Coordinated Disclosure

IU is committed to do our best to complete patching and remediation of vulnerabilities within 90 days, and to disclose the details of those vulnerabilities when patches are published and remediation is complete. In some cases, patching and remediation may take longer than 90 days. Unless your report is anonymous, we will communicate expected timelines and update you if the patching and remediation is going to exceed 90 days.

IU believes that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process and that one of the best ways to make software and systems better is to enable everyone to learn from each other's mistakes. At the same time, we believe that disclosure in the absence of a readily available patch and/or remediation of affected systems tends to increase risk rather than reduce it, and so we require that you refrain from sharing your report with others while we work on patching and remediation. If you believe others should be informed of your report before the patch is available and remediation is complete, let us know so we can make arrangements.

IU may want to coordinate an advisory with you to be published simultaneously with the patch and the completion of our remediation, but you are also welcome to self-disclose such an advisory. By default, we prefer to disclose everything through our established channels, but we will never publish information about you or our communications with you without your permission unless required by law. In cases that include sensitive information that must be redacted prior to disclosure, we require that you check with us before self-disclosing. Also, if the patch will not be available or remediation will not be complete within 90 days after you have reported your discovery, we may require that you delay your disclosure in part or completely until a patch is ready and remediation is complete. We will make all possible efforts to patch and complete remediation within 90 days, but in those situations where we cannot, we expect your cooperation in coordinating the disclosure of information on the discovered vulnerabilities.

Compliance with this Guidance

IU appreciates constructive and well-intentioned reports made in compliance with this guidance. Moreover, if you comply with this guidance and do not cause any harm to IU, IU will not take any disciplinary or legal action against you.

Bug Bounty/Reward for Vulnerability Report

IU does not have a “Bug Bounty” program or provide any monetary or material reward of any kind for reporting vulnerabilities. If you withhold information about a vulnerability in an attempt to solicit a monetary or material reward, you are not complying with this guidance and your activities are not authorized.