Four years ago we established the responsible disclosure policy at the university. In this policy, we show that we will not take actions against a person who hacked into a system through a vulnerability, if they reported the vulnerability to us in a responsible way.
For this purpose, a template of the National Cyber Security Center (NCSC) was used. The University of Twente was the first organization outside the NCSC itself, which used this. Our experiences and observations have resulted in minor adjustments and adaptations to the template. Our own policy was revised in early 2018 and adapted to the current circumstances.
The first version was published in February 2014 and on 23th April 2014, the first reports came in. That version was only available in Dutch. As expected this resulted in mostly reports from our own students. They delivered 17 reports in 2014.
An interesting report was related to how Oracle handled the storage of passwords to access their management interface. The Oracle server would give back those passwords in plain text, if asked the right question. What was also interesting about the report was the fact the reporter should not have been able to get to that interface. Our administrators have started an investigation in the way access was obtained. That access was found within hours and blocked immediately. That was differently with the leak in the Oracle server itself. Oracle took almost 300 days to resolve this bug.
In 2015 we received 29 reports. Also that year, the reporters were mainly our own university students. However, there were also reports from students from other universities and particularly universities we work closely with in the field of cyber security research. That year was the first year in which we started to receive reports about Cross Site Scripting (XSS) and SQL injection (SQLi). They have been coming constantly since then.
The following year, the number of notifications stopped at 25. We received a number of reports on unsafe access to various systems. Many vendors assume we will connect a device behind a firewall. That is almost never the case on the university network. Unsafe configurations and standard passwords were the result.
Last year we accepted 33 reports. A new phenomenon were clickjacking reports. Clickjacking ensures that a site can be loaded into a so-called iframe, giving the site showing the iframe a means to show invisible buttons. That can be dangerous. On the other hand, it is also a feature that is very desirable in many sites. We can not solve them all, but it made the administrators of those sites think again about the risks and then make an informed decision.
This was also the first year in which reports on specific nameserver records, including SPF, showed up in our mailbox. Normalle all reporters get a mention in the Hall of Fame, but the number of such reports was so big we decided not to honor such reports anymore.
This year is only a few months old and already the number has more than doubled. That was mainly due to a boom in February, in which we received 45 reports during a couple of weeks. Over 90% of these reports came from India and Pakistan (the policy is now also available in English).
Many of these reports were related to a new vulnerability for websites, namely Cross-Origin Resource Sharing (CORS). With CORS you allow another website, without further authentication, to display information within the context of your page. This can be useful for images, but that other resource can also be a script, which can cause unexpected problems. As seen by sites like nu.nl which loads scripts into your browser from external ad providers.
In total, now more than 80 people made over 170 reports. We want to thank them for their help to secure the university.
