The UT POLICY FOR COORDINATED VULNERABILITY DISCLOSURE IN RESEARCH was established on 27 march 2023.
This policy is an outbound disclosure policy in that it is about vulnerabilities in systems outside of the UT.
The policy gives (security) researchers and students clear guidelines for conducting vulnerability discovery activities during their research and conveys the University's preferences on coordinating with vendors to disclose and mitigate the discovered vulnerabilities.
The purpose of the disclosure is to contribute to the security of ICT systems by sharing knowledge about vulnerabilities and their mitigation. This contribution to ICT security awareness is a shared responsibility. The starting point of the policy is an equal discussion between the researcher, the University, and the affected vendors. The University has a duty of care to facilitate the researcher in this process.
The intent is to disclose vulnerabilities in the most helpful way to the community by ensuring confidentiality during the process, working with affected parties to find and test fixes, and aiming to inform all the impacted entities so that they can protect themselves by deploying patches and updating their systems. The researcher (student or employee) discovers the vulnerability and knows the technical details; the other party has the means and motivation to fix or mitigate the vulnerability.
Does this policy apply to me?
Terminology and Examples
Procedure for conducting the disclosure
As mentioned above, the researcher, teacher, or supervisor conducts the Coordinated Vulnerability Disclosure procedure. In any case that the employee needs advice or support, but at least in the case that the owner or vendor does not react or is unwilling to cooperate, or if multiple vendors are involved, the researcher, teacher, or supervisor is strongly advised to contact the EC-CIS (email@example.com) for support. If necessary, the EC-CIS can help them contact the National Cyber Security Centre (NCSC).
If a weak spot is discovered in one of the systems of the University of Twente, you can contact LISA so that the University can take measures as soon as possible. For that, see the University's responsible disclosure policy.
The steps within the procedure to be performed by the researcher:
- Keep a record of all communications concerning the Coordinated Vulnerability Disclosure in a secure location. Mailing from the official UT Microsoft account may serve as a secure location.
- Search for the right contact for reporting a vulnerability, taking steps to find the right way to securely get in touch with them. Contact methods could include but are not limited to using the contact information in the Coordinated Vulnerability Disclosure policy of the owner or vendor, the security.txt contact information, emailing security reporting emails (security@ or secure@), filing bugs without confidential details in bug trackers, or filing support tickets.
- Send out the first notification and, if necessary, reminders after 21 days and 60 days. Appendix B gives templates for notifications to report vulnerabilities to affected parties. As stated in the templates, it is important that the report:
- includes that the vulnerability was found in a scientific environment during a research project;
- proposes a deadline for publication of the reported issue to prevent deadlock because of no response;
- states that you are willing to negotiate publication date, pending response and remediation actions;
- is written in a friendly and open tone.
- In case of no reply from vendors, try to contact software distributors. For instance, in case of vulnerabilities found in an Android app present in the Google Play Store, contact Google.
- If necessary, negotiate with the vendors to set a publication date.
- If no fix is available at the end of the agreed publication date (e.g., after 90 days), notify the contact of the intent to disclose the reported issue. In case of mitigating circumstances, it is possible to extend the deadline.
- When either the issue is fixed or the (extended) deadline is expired, disclose the vulnerability. Depending on the nature of the problem, there may be a few paths leading to eventual disclosure: 1) disclose the vulnerability publicly, 2) disclose it directly to the people using the project, or 3) issue a limited disclosure first, followed by a full public disclosure. Work with the contact to determine which approach is most appropriate in each case.
- Register the conclusion of the Coordinated Vulnerability Disclosure procedure with all documentation with the EC-CIS.