Cybersecurity research may lead to the discovery of previously unknown security vulnerabilities in ICT systems. For example, research on the fundamentals of an Internet protocol may uncover flaws in its authentication mechanisms, allowing attackers to access unauthorised information; research on software testing may discover weaknesses that would allow attackers to compromise systems. Besides, non-security research may also unintentionally lead to identifying security flaws.
Whenever such vulnerabilities are discovered, researchers have a moral obligation to contribute to informing affected people of the risk and to contribute their insights to resolve the issues. The new outbound Coordinated Vulnerability Disclosure policy establishes rules that UT researchers are expected to follow, embedded in the broader context of research ethics procedures. The new policy furthermore offers concrete guidelines on how to carry out the disclosure and embeds institutional support for researchers involved in this process.
The UT is the first university to establish an outbound policy on Coordinated Vulnerability Disclosure explicitly and, with this step, hopes to contribute to better practices in this type of research and inspire other institutes to better take into account and deal with this subject.