regarding discovery and reporting of vulnerabilities
Stuff that does NOT pose a threat to our systems as such.
So no clickjacking vulnerabilites, content spoofing, old cypher suits that are needed for backwards compatibilites etc...
No stuff concerning others impersonating us - users will click on anything without even checking a URL or email-address so we don't have to jump through hoops to remedy theoretical fraud vectors.
Data accessible over APIs that is already available on our public webpages.
Vulnerabilites that DO pose a threat to our systems as such.
Unintendedly accessible data - so data that is not already available on our public webpages.
Hacks and exploits leading to actual access to data or rights on a system.
As a public facility we can not grant bounty payments.
Given their consent we will be providing public credit and acknowledgements to the researchers
in our Hall of Fame for first reports of previously unknown vulnerabilities presenting a real risk to our systems.
During testing avoid disrupting our systems or destroying data - i.e. don't involve DoS attacks.
If a vulnerability provides unintended access to data, cease testing and submit a report immediately -
especially if You encounter Personally Identifiable Information (PII), any data owned by our staff or students
or any proprietary information.
Don't violate the privacy of others - don't disclose private information publicly.