Four years ago we established the responsible disclosure policy at the university. In this policy, we show that we will not take actions against a person who hacked into a system through a vulnerability, if they reported the vulnerability to us in a responsible way.
For this purpose, a template of the National Cyber Security Center (NCSC) was used. The University of Twente was the first organization outside the NCSC itself, which used this. Our experiences and observations have resulted in minor adjustments and adaptations to the template. Our own policy was revised in early 2018 and adapted to the current circumstances.
On 23 April 2014 we received the first notification. Many of the reports in the first years came from our own students. Later on students of institutions we work with in the field of cyber security education started to report vulnerabilities too.
The new policy is also available in English. This has led to a multiplication of the number of reports in 2018.
In total, now more than 80 people made over 170 reports. We want to thank them for their help to secure the university.
For more details, please refer to the article on our Cyber Safety site.