Vulnerability Disclosure Guidance

Indiana University (IU) takes the security of its IT resources and institutional data very seriously. Through various means, we do our very best to ensure the confidentiality, integrity, and availability of the sensitive data in our care, and the IT resources where data is collected, stored or transmitted. However, we know even the best efforts from IU’s talented staff may not detect all possible issues. Therefore, we want security researchers to feel comfortable reporting vulnerabilities they have discovered, as set out in this guidance, so that IU’s software developers and systems administrators can take action to fix them and keep IU’s data and systems safe. Responsible researchers are welcome to provide constructive and well-intentioned reports, be they students, staff, faculty, or affiliates of Indiana University or a member of the public. 

This guidance describes what systems and types of research are covered under this guidance, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Guidelines

Indiana University requires that you, the researcher: 

• Make every effort to avoid privacy violations, degradation of user experience, disruption to any IT systems, and destruction or manipulation of data. 
• Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access with or without persistence, or use the exploit to "pivot" to other systems. Once you have established that a vulnerability exists, or encounter any of the sensitive data outlined below, you must stop your test and immediately report the vulnerability according to the reporting instruction below.
• Keep any information about discovered vulnerabilities confidential for at least 90 calendar days after you have notified Indiana University through the channels detailed in this document. Additional time might be needed before you disclose some or all information about discovered vulnerabilities after we have established communications with you. See the Coordinated Disclosure section below for more details.

Scope

This guidance applies to the following systems: 

• Any device with an A or AAAA DNS record in an IU authoritative domain is in scope. Any other device, even if it is using an IU IP address, is out of scope. 
• If you are not sure whether a system or endpoint is in scope, contact the University Information Security Office (UISO) at uiso@iu.edu before starting or continuing your research. 
• The following test types are not authorized:
  • Physical testing (e.g. office access, open doors, tailgating, etc). 
  • Social engineering (e.g. phishing, vishing, etc). 
  • Network or service denial of service (DoS or DDoS) tests. 
  • Any testing that has a likelihood of exposing sensitive data, degrading user experience, disrupting any IT systems, and destruction or manipulation of data. 
  • Any other non-technical vulnerability testing. 
  • Any form of testing prohibited by law in the jurisdiction in which you are located, where testing originates or is destined. 

If you encounter any of the following while testing within the scope of this guidance that you do not have explicit authorization to access, stop your test and notify the UISO immediately: 

• Personally Identifiable Information (PII).
• Passwords (e.g. to accounts, services, encryption keys, or other secrets). 
• Visa or immigration information. 
• State ID, Driver’s license, or passport numbers. 
• Financial information (e.g. credit card or bank account numbers, tax form data, Social Security Numbers). 
• Proprietary information or trade secrets of companies of any party. 
• Any data that is classified as University-Internal, Restricted or Critical by Indiana University according to the Data Classification Matrix. 

Authorization

If you make a good faith effort to comply with this guidance during your security research, testing and disclosure process, IU will work with you to understand and resolve the issue quickly. If you follow the guidelines stated here in regards to your research, testing, and/or disclosure of their results, the University Information Security Office of Indiana University will recommend to IU leadership and General Counsel not to initiate legal action or disciplinary actions internal to IU. If you do not follow the guidelines stated here, the UISO may recommend action be taken or treat your activities as malicious. The UISO reserves the right to judge if a good faith effort has been made.

Reporting a vulnerability

The UISO accepts and discusses non-emergency vulnerability reports via email to uiso@iu.edu. If you believe this to be an emergency see this web page on how to report security incidents. Most reports may be submitted anonymously if you wish. See below for more information as to who may not make anonymous reports. Note: We do not currently support S/MIME or PGP-encrypted emailed reports. If you require certain details to be sent encrypted, contact us to make arrangements. 

Reports should include: 

• Description of the location and potential impact of the vulnerability. UISO requires at least the inclusion of the DNS A or AAAA record and IP address. 
• A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Use extreme care to properly label and protect any exploit code. 
• Any technical information and related materials needed to reproduce the issue. 
• Although anonymous reports are accepted, you are encouraged to provide reliable contact information for us to use. If you decide to report anonymously then you may not disclose the discovered vulnerabilities yourself until Indiana University discloses it publicly, and we will not be able to credit you for your efforts.
• If you are an Indiana University student, staff, facility, or affiliate, your IU assigned email address is required to be used when reporting discovered vulnerabilities. You are required by Indiana University policy ISPP-26 to report security incidents or issues. 

Please keep your vulnerability reports current by sending us any new information as it becomes available.  

We may share your vulnerability reports with trusted third parties, as well as any affected vendors or open-source projects. If you wish, we will credit your discovery to you by name to the vendor or open-source project. If you wish to remain anonymous, you will be credited as “a third party who asked to be anonymous” or similar.

Coordinated Disclosure

Indiana University is committed to do our best to complete patching and remediation of vulnerabilities within 90 days, and to disclose the details of those vulnerabilities when patches are published and remediation is complete. In some cases, patching and remediation may take longer than 90 days. Unless your report is anonymous, we will communicate expected timelines and update you, if those are going to be exceeded.  

IU believes that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process and that one of the best ways to make software and systems better is to enable everyone to learn from each other's mistakes. At the same time, we believe that disclosure in the absence of a readily available patch and/or remediation of affected systems tends to increase risk rather than reduce it, and so we require that you refrain from sharing your report with others while we work on patching and remediation. If you believe others should be informed of your report before the patch is available and remediation is complete, let us know so we can make arrangements.

IU may want to coordinate an advisory with you to be published simultaneously with the patch and the completion of our remediation, but you are also welcome to self-disclose. By default, we prefer to disclose everything through our established channels, but we will never publish information about you or our communications with you without your permission unless required by law. In cases that include sensitive information that must be redacted prior to disclosure, we require that you check with us before self-disclosing. Also, if the patch will not be available or remediation will not be complete within 90 days after you have reported your discovery, we may require that you delay your disclosure in part or completely until a patch is ready and remediation is complete. We will make all possible efforts to patch and complete remediation within 90 days, but in those situations where we cannot, we expect your cooperation in coordinating the disclosure of information on the discovered vulnerabilities.

Bug Bounty/Reward for Vulnerability Report

Indiana University does not have a “Bug Bounty” program or provide any monetary or material reward of any kind for reporting vulnerabilities. If you withhold information about a vulnerability in an attempt to require a monetary or material reward, you are not complying with this guidance and your activities are not authorized by it. If you do not follow the guidelines stated here, the UISO may recommend to IU leadership and General Counsel that action be taken and/or treat your activities as malicious.