Report System Vulnerabilities

The University Acceptable Use of Information Technology Resources Policy focuses on what you can and cannot do, and where to report violations of acceptable use.

Information security is a shared responsibility. University community members who become aware of a potential system vulnerability within the University network that might lead to data loss or interruption of IT services are required to:

  • report the vulnerability to University Information Security (UIS) via [email protected]
  • not disclose the vulnerability publically.
  • not access any data without authorization, beyond the minimum extent necessary to demonstrate a vulnerability.

The responsibility to report vulnerabilities:

  • does not authorize automated scans of the University network. If unsanctioned scans are detected, they will be investigated and may be subject to limitation or termination of user privileges, appropriate disciplinary action, and/or legal action.
  • does not apply to external parties.
  • is not compensated by the University (aka 'a bug bounty').