Coordinated Vulnerability Disclosure policy for research

The UT POLICY FOR COORDINATED VULNERABILITY DISCLOSURE IN RESEARCH was established on 27 march 2023.

This policy is an outbound disclosure policy in that it is about vulnerabilities in systems outside of the UT.

The policy gives (security) researchers and students clear guidelines for conducting vulnerability discovery activities during their research and conveys the University's preferences on coordinating with vendors to disclose and mitigate the discovered vulnerabilities.

The purpose of the disclosure is to contribute to the security of ICT systems by sharing knowledge about vulnerabilities and their mitigation. This contribution to ICT security awareness is a shared responsibility. The starting point of the policy is an equal discussion between the researcher, the University, and the affected vendors. The University has a duty of care to facilitate the researcher in this process.

The intent is to disclose vulnerabilities in the most helpful way to the community by ensuring confidentiality during the process, working with affected parties to find and test fixes, and aiming to inform all the impacted entities so that they can protect themselves by deploying patches and updating their systems. The researcher (student or employee) discovers the vulnerability and knows the technical details; the other party has the means and motivation to fix or mitigate the vulnerability.

Does this policy apply to me?

  • Did you find a vulnerability in a UT (licensed) system?

    This policy does not apply to you.

    If a weak spot is discovered in one of the systems of the University of Twente, you can contact LISA so that the University can take measures as soon as possible. For that, see the inbound disclosure policy: UT responsible disclosure policy.

  • Did you discover a vulnerability during your (cybersecurity) research?

    This policy applies to you.

    "This policy applies to all employees and students of the University of Twente conducting research at the University's premises or on behalf of or under the responsibility of the University of Twente (including, e.g., guest employees who conduct research under the responsibility of the UT or UT-employees at other locations). The policy applies to vulnerabilities discovered as part of research at the University, usually in systems of parties other than the University."

    You can ask the ethics committee Computer & Information Science for advice if needed. You are required to follow the procedure outlined below.

  • Are you a UT student?

    Please report the discovery to your supervisor or teacher. They are responsible for conducting the Coordinated Vulnerability Disclosure procedure for the vulnerabilities reported to them by their students.

  • Are you a teacher or supervisor, and did your student report a discovered vulnerability?

    Teachers and supervisors are responsible for conducting the Coordinated Vulnerability Disclosure procedure for the vulnerabilities reported to them by their students. You can ask the ethics committee Computer & Information Science for advice if needed. You are required to follow the procedure outlined below.

Terminology and Examples

  • Vulnerabilities

    Vulnerabilities are (technical) security flaws in computer systems (e.g., software or hardware) that can allow malicious actors to violate the confidentiality, integrity, or availability of ICT systems. For example, a flaw in the code of a web-based application may allow cybercriminals to inject arbitrary SQL commands into an HTTP request and thus access or modify the underlying database.

  • Vulnerability discovery

    Vulnerability discovery means finding out about possibly unknown vulnerabilities in ICT systems. This can, for example, be a result of research on security testing or internet network properties, or research on people's susceptibility to social engineering techniques such as spear-fishing, but many other activities can also lead to the discovery of vulnerabilities in systems.

  • Vulnerability disclosure

    Vulnerability disclosure refers to the process of communicating about the discovered weaknesses with affected parties, among which vendors of affected systems, organisations hosting systems and content, and end users affected by the risks of such vulnerabilities (for example, information leak or system damage). First, vendors must know about the vulnerability if they are to fix or mitigate it, and second, users of the affected systems must be aware that their systems are at risk until a solution by the vendor is deployed. The disclosure must be carried out in coordination with parties involved, especially the owner or vendor of a system, in order to, for example, ensure that disclosure happens in a timely manner while giving the vendor enough information and time to resolve the issue before widely publishing its existence.

Procedure for conducting the disclosure

As mentioned above, the researcher, teacher, or supervisor conducts the Coordinated Vulnerability Disclosure procedure. In any case that the employee needs advice or support, but at least in the case that the owner or vendor does not react or is unwilling to cooperate, or if multiple vendors are involved, the researcher, teacher, or supervisor is strongly advised to contact the EC-CIS (ethicscommittee-cis@utwente.nl) for support. If necessary, the EC-CIS can help them contact the National Cyber Security Centre (NCSC).

If a weak spot is discovered in one of the systems of the University of Twente, you can contact LISA so that the University can take measures as soon as possible. For that, see the University's responsible disclosure policy.

The steps within the procedure to be performed by the researcher:

  1. Keep a record of all communications concerning the Coordinated Vulnerability Disclosure in a secure location. Mailing from the official UT Microsoft account may serve as a secure location.
  2. Search for the right contact for reporting a vulnerability, taking steps to find the right way to securely get in touch with them. Contact methods could include but are not limited to using the contact information in the Coordinated Vulnerability Disclosure policy of the owner or vendor, the security.txt contact information, emailing security reporting emails (security@ or secure@), filing bugs without confidential details in bug trackers, or filing support tickets.
  3. Send out the first notification and, if necessary, reminders after 21 days and 60 days. Appendix B gives templates for notifications to report vulnerabilities to affected parties. As stated in the templates, it is important that the report:
    1. includes that the vulnerability was found in a scientific environment during a research project;
    2. proposes a deadline for publication of the reported issue to prevent deadlock because of no response;
    3. states that you are willing to negotiate publication date, pending response and remediation actions;
    4. is written in a friendly and open tone.
  4. In case of no reply from vendors, try to contact software distributors. For instance, in case of vulnerabilities found in an Android app present in the Google Play Store, contact Google.
  5. If necessary, negotiate with the vendors to set a publication date.
  6. If no fix is available at the end of the agreed publication date (e.g., after 90 days), notify the contact of the intent to disclose the reported issue. In case of mitigating circumstances, it is possible to extend the deadline.
  7. When either the issue is fixed or the (extended) deadline is expired, disclose the vulnerability. Depending on the nature of the problem, there may be a few paths leading to eventual disclosure: 1) disclose the vulnerability publicly, 2) disclose it directly to the people using the project, or 3) issue a limited disclosure first, followed by a full public disclosure. Work with the contact to determine which approach is most appropriate in each case.
  8. Register the conclusion of the Coordinated Vulnerability Disclosure procedure with all documentation with the EC-CIS.

Policy download

Contact

drs. P. de Willigen (Petri)
drs. P. de Willigen (Petri)
Secretary Ethics Committee Computer & Information Science (EC-CIS)

My favourites

About Favourites
Use the Bookmark this page button on Service Portal pages to add that page to the My Favourites section. To add web applications, use the star icon in the webapplication list. To add pages outside the Service Portal, use the Add custom bookmark button above. Add your favourite apps to your bookmarks by using the favourite button.

The My Organisation section shows mandatory bookmarks for your your main unit.

Please wait a moment...