Tilburg University CERT

Computer Emergency Response Team

Responsible disclosure

Responsible Disclosure

At the Tilburg University, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

This however is not an invitation for you to pentest our site nor is it allowed to use automated tools for scanning for vulnerabilities.

Responsible disclosure

Please to the following in order to do a responsible disclosure:
  • E-mail your findings to responsible-disclosure@uvt.nl. If you attach documents to your message make sure they are only PDF or PNG/JPG. If you really want to send something else contact us first or your report will be dismissed as incorrectly submitted.
    If you have gpg you can encrypt your findings using our PGP key for cert@uvt.nl to prevent this critical information from falling into the wrong hands. PGP is not mandatory.
  • We read messages in plain text, HTML is converted by stripping all HTML tags from messages, make sure we can still read those messages or they might get (silently) ignored.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
  • Do not reveal the problem to others until it has been resolved,
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
  • Do not use automated tools to run (large scale) tests on our site,
  • Do provide sufficient information for us to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation (if necessary we will contact you for more information).

Our reaction

If you perform a valid responsible disclosure our promise is the following
  • We will first respond to your report within 5 business days.
  • Our evaluation of the report and if applicable an expected resolution date
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report,
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem, unless you desire otherwise.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

This Responsible disclosure is based on an example written by Floor Terra (http://responsibledisclosure.nl).

Valid reports

We accept reports of real vulnerabilities in applications and/or systems. Vulnerabilities for which we accepted the risk are not considered as valid reports as they have been dealt with already. Also cases such as the lack of RRs (SPF, CAA and the like), security headers in websites (HSTS, Content-Security-Policy, clickjacking and the like) as well as version number disclosures or default pages are not considered valid reports. These cases are known to us and are already being worked on or just choices that we made between functionality and security.

Hall of Fame

We want to thank everybody who reported a vulnerability in a responsible way. The first who submits a valid report exclusively to responsible-disclosure@uvt.nl gets the listing in the Hall of Fame.

Remarks

  • Don't ask for any updates within the first 5 business days
  • There's no need explicitly ask for listing in the Hall of Fame or S.W.A.G.
  • We will review every report and add you to the Hall of Fame at our discretion and in due time.


  • Reporter Total 2016 2017 2018
    Mitesh Patil 9 9
    Jose Carlos Exposito Bueno 7 7
    Rounak Dhadiwal 5 5
    Zeba Naaz 5 5
    Dave Jong 5 5
    Ferdi Bak 4 4
    Kasper Karlsson 3 3
    Shanmuka Prasad D. 2 2
    Tanay Wagh 1 1
    Shyam Jordan 1 1
    Vikash Chaudhary 1 1
    Sanyam Chawla 1 1
    Dawood Ansar 1 1
    Chirag Gupta 1 1
    Somil Jain 1 1
    Aditya jadhav 1 1
    Raghu Reddy 1 1
    Akash Upadhayay 1 1
    Huy Kha 1 1
    Daniel Bakker 1 1
    Yung Lean 1 1
    Totals 53 2 6 45