Vulnerability disclosure policy
Protecting our systems, and data entrusted to us by our members is integral to what we do.
We value the work done by security researchers in making the Internet a safer and more secure space, and have developed this policy using guidance from ISO 29147:2018
If you have identified a security vulnerability in our products, services or systems we would like to work with you to improve our systems. Please review this policy before attempting to test or report a vulnerability.
A security vulnerability is a weakness in a product, service or system that could allow an attacker to compromise the integrity, availability, or confidentiality of that product, service or system.
Reporting vulnerabilities
You can report any vulnerability you discover in our systems by emailing vulnerability@jisc.ac.uk. More details on how to contact us, including how to secure your communications, are provided later in this policy.
In all cases, you must:
- Respect our members’ privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. You must not save, store or transmit this information
- Act in good faith. You should report the vulnerability to us with no conditions attached
- Work with us. Promptly report any findings to us, stopping after you find the first vulnerability and requesting permission to continue testing. Allow us a reasonable amount of time to resolve the vulnerability before publicly disclosing it
And you must not:
- Exfiltrate data. Instead use a proof of concept to demonstrate a vulnerability
- Use a vulnerability to disable further security controls
- Perform social engineering
- Perform any testing of physical security
- Break the law, or any agreements you may have with Jisc or third parties
Testing for vulnerabilities
If you want to actively test our systems for vulnerabilities, you must:
- Only test systems that are in scope of this policy. These are listed further down in this policy
- Use a test, or other non-production, environment if it is available to you
- Only test vulnerabilities using your own accounts, or accounts that you have permission to test with
And you must not:
- Perform testing likely to provide you with access to someone else’s data
- Perform testing likely to delete, destroy or corrupt anyone else’s data
- Perform testing likely to affect other users e.g. denial of service and brute-force attacks, spamming
- Use automated scanners/fuzzers
- Test systems not-in-scope of this policy
You can help us by:
- Providing the IP address from which you performed the testing so that we can view logs related to your testing.
- Clearly identifying your traffic, for example by including a unique custom HTTP header such as X-Jisc-CVD:<youremail@address>
- If you are attempting to demonstrate root level access, please use touch /root/<uniqueid>
- Providing us with detailed information about the vulnerability to help us confirm it eg:
- The URL of the product, service or system
- If the vulnerability is in code that Jisc distributes, the version number
- A description of the vulnerability
- The steps needed to reproduce the vulnerability, any proof-of-concept code
- Any screenshots
- Details of the browser and OS used during testing
- How you prefer to be contacted
- Any current plans you have to disclose the vulnerability
What we'll do
Jisc will:
- Respond and acknowledge your report within seven calendar days
- Ask for any additional information we need to investigate your report
- Work with you to confirm the vulnerability, the extent to which it affects us, and let you know how long we think the vulnerability will take to fix. Our aim is to fix vulnerabilities within 90 days of confirmation
- Notify you when the vulnerability has been fixed
- Where appropriate, release information about the issue to our members, partners, or the public to help others determine if they are affected by the vulnerability, and if so, what they need to do
- Review what went wrong and update our practices and processes to improve our products and services
- If you wish, acknowledge your assistance to Jisc in our hall of fame (below)
- Promise not to take legal action against you for accessing (or attempting to access) our systems as long as this policy is followed and you do not cause foreseeable harm
- Treat your report as confidential, treat your data according to our privacy policy, and not pass your personal data onto any third parties without your permission
There are some issues that we may not consider to be security vulnerabilities, but you can still report them to us. We will respond and inform you why we do not consider it to be a security vulnerability. These are largely non-exploitable vulnerabilities or configuration issues, eg:
- Missing security headers that may be best-practice but do not impact on the security of the system in this instance
- Support for older, but non-exploitable, protocols and cipher suites such as TLS 1.1.
- Fingerprinting/version detection
- Out of date software, with no exploitable vulnerability
Communicating with Jisc
If you are worried about the confidentiality of information sent to Jisc as part of this process, we recommend you send the information to Jisc CSIRT using PGP/GPG. Details of their key can be found on the CSIRT page.
You may prefer to work through a third party such as a CSIRT team. Jisc is a member of FIRST and works with various CERTs and CSIRTs globally. We may work with other CERTs and CSIRTs if we need to collaborate with a wide variety of organisations or coordinate the release of information. You can decide to work through a third party for any reason, even after contacting us directly.
You may wish to report something to us entirely anonymously. We are happy for you to do this, but it may make it difficult for us confirm the vulnerability and acknowledge your efforts if we are unable to contact you. We may also fail to identify activity if you are anonymous, for example, if you do not wish to provide us the IP address used to test our systems.
Scope of the policy
This policy is under active development. We are using a limited scope to help us explore what works well and what does not. The scope of the policy will change over time.
Systems in scope
The fully qualified domain names of the systems within scope are listed below. Subdomains not explicitly listed are not in-scope. All systems within scope can be identified by the presence of security.txt within their web root, for example https://domain.jisc.ac.uk/security.txt.
- cybersecurity.jisc.ac.uk
- digitalinsights.jisc.ac.uk
- digitalcapability.jisc.ac.uk
- jisc.ac.uk
- liberate.jisc.ac.uk
- manage.jisc.ac.uk
- onlinesurveys.ac.uk
- openathens.org
- openathens.net
- studygoal.jisc.ac.uk
- ukfederation.org.uk
- v2.sherpa.ac.uk
- wugen.ukfederation.org.uk
Systems not in scope
- All systems not explicitly mentioned as in-scope
If you are unsure as to whether a system is in scope, please contact us first.
Jisc employees and contractors
If you are a Jisc employee or contractor, use the internal process for reporting incidents, not this external process.
We would like to encourage you to work on security problems that cannot be addressed externally and ensure that your efforts are recognised by our performance management system. For more information contact the information security team.
Hall of fame
Jisc would like to thank the following people for helping improve the security of our products, services, and systems:
Abhijith A, Mohammed Abdul, Madhusudan Acharya, Utkarsh Agrawal, Ameya Andhare, Alex Bailey, Suyash Bavalekar, Jayesh Baviskar, Tuhin Bose, Maham Farizul, Chirag Gupta, Priyanshu Gupta, Mohammed Israil, Somil Jain, Harsh Joshi, Shruti Kapoor, Mayank Kaushal, Sankalp Kelaskar, Aniruddha Khadse, Naveen Kumar, Pasan Rawana Lamahewa, Serge Lacroute, Fahimul Kabir Lemon, Devang Karelia, Pethuraj M, Ketan Madhukar Mukane, Rayen Messaoudi, Al Naeem, Kunal Narsale, Sayak Naskar, Vivek Panday, Khushbu Parmar, Priyanshu Parihar, Thinh Hoang Quoc, Muthumohanprasath R, Vismit Rakhecha, Ankush Rautela, Devisha Rochlani, Sayeed Shaik, Irfan Sayyed, Jai Kumar Sharma, Pawan Singhal, Chetan Tiwari, Muhammad Uzair, Aravind Valugonda, Acelakshit Verma, Rituraj Vishwakarma, Prudhvi Vuda, Sagar Yadav and Tanya Volkova.