Protecting our systems and data from security vulnerabilities is integral to what we do. We aim to identify and address any weaknesses that could allow an attacker to compromise the integrity, availability, or confidentiality of any University product, service or system.
We also value the vital work done by security researchers in making the Internet a safer and more secure space, and have developed this policy using guidance from ISO 29147:2018. If you have identified a security vulnerability in our products, services or systems we would like to work with you to improve our systems.
Please review this policy before attempting to test or report a vulnerability.
University employees and contractors
If you are an employee or contractor of the University of York please contact CERT (Computer Emergency Response Team) prior to taking any action under this policy:
You can report any vulnerability you discover in our systems by contacting CERT (Computer Emergency Response Team):
See Communicating with us for more details on how to contact us, including how to secure your communications.
In all cases, you must:
You must not:
If you want to actively test our systems for vulnerabilities, you must:
You must not:
Upon receiving your report, we will:
There are some issues that we may not consider to be security vulnerabilities, but you can still report them to us. We will respond and inform you why we do not consider it to be a security vulnerability. These are largely non-exploitable vulnerabilities or configuration issues, for example:
If you are worried about the confidentiality of information sent to the University as part of this process, we recommend you send the information to us using PGP/GPG.
You may prefer to work through a third party such as a CSIRT team. We may work with other CERTs and CSIRTs if we need to collaborate with a wide variety of organisations or coordinate the release of information. You can decide to work through a third party for any reason, even after contacting us directly.
You may wish to report something to us entirely anonymously. We are happy for you to do this, but it may make it difficult for us to confirm the vulnerability and to acknowledge your efforts if we are unable to contact you. We may also fail to identify activity if you are anonymous, for example, if you do not wish to provide us the IP address used to test our systems.
This policy is under active development. We are using a limited scope to help us explore what works well and what does not. The scope of the policy will change over time.
The fully qualified domain names of the systems within scope are listed below. Subdomains not explicitly listed are in-scope ONLY if they are hosted in the IPv4 range 144.32.0.0/16 or the IPv6 range 2001:0630:0061::/48.
If you are unsure as to whether a system is in scope, please contact us first.
Credits and thanks
The University of York thanks the following people for their help with vulnerability reports:
- Syed Muhammad Asim
- Lütfü Mert Ceylan
- Ash Holland (two reports)
- Serji Lacroute
- Hoggervr
- Marks Polakovs
- Shripad Rachha
- Mehedi Hasan Remon
- Bhargab Kaushik
- Tayfun Akyildiz
- Harshal S. Sharma
- Chirag Ketan Prajapati
- Sndp Giri
- Tri Wanda Septian
- Deepak Kumar Singh
- Ismail Tasdelen
- niggy
- Alana Witten
- Selvavinayagan Babiharan
- Prince Prafull
- Abhith Damodaran
- Rakan Abdulrahman Al-Khaled
- Emily Dennison
- Younghun Lee
- Akash Rajendra Patil
- Rakesh Sharma
- Dzmitry Smaliak
- Nimmagadda Sai Krishna
- Vinayak Sakhare
- Felipe Gabriel Renzi
- Joshua Arulsamy
- Urvesh Shankar Waghela
- Adrian Tirado Garcia
- Ayushi Poreddiwar
- Steven n0tst3 Black (two reports)
- Yasser Alenazi - Twitter (@firfox20)
- Karan Rathod
- Navreet (Country: India)
- Aviv Keller (@RedYetiDev)
- Mohamed Akees (Country: Sri Lanka)
- Everton Silva - Instagram (@hydd3n.sec)
- Jitendra Behera
- Ori Levi