The University of Twente is the first to establish a university-wide policy on Coordinated Vulnerability Disclosure in Research.
Cybersecurity research may lead to the discovery of previously unknown security vulnerabilities in ICT systems. For example, research on the fundamentals of an Internet protocol may uncover flaws in its authentication mechanisms, which would allow attackers to access unauthorized information; research on software testing may discover weaknesses that would allow attackers to compromise systems. Furthermore, even non-security research may lead to the identification of security flaws.
Whenever such vulnerabilities are discovered, researchers have a moral obligation to contribute to informing affected people of the risks and to contribute their insights to resolve the issues. Yet, up till now there was a lack of clear guidelines and institutionalised support for researchers to do so.
The new University of Twente policy on "Coordinated Vulnerability Disclosure in Research" establishes a set of rules that UT researchers are expected to follow, embedded in the wider context of research ethics procedures. The new policy furthermore offers concrete guidelines on how to carry out the outgoing disclosure, and embeds institutional support for researchers involved in this process.
The UT is the first university to explicitly include an outgoing policy on Coordinated Vulnerability Disclosure in Research and, with this step, hopes to contribute to better practices in this type of research and inspire other institutes to better take into account, and deal with this subject.
- Website: https://www.utwente.nl/en/service-portal/research-support/procedures-facilities/coordinated-vulnerability-disclosure-policy-for-research
- Paper: https://www.ndss-symposium.org/wp-content/uploads/2023/02/ethics2023-237352-paper.pdf