BU-CERT Responsible disclosure policy

What to report to BU-CERT:

Security incidents and vulnerabilities, which occur in software components, protocols, or hardware of websites or systems of the bournemouth.ac.uk subdomains, and may affect significant number of users.

Vulnerability reporting policy:

BU-CERT reserves the right to accept or reject any vulnerability disclosure report at its discretion, based on the following general criteria:

  1. Pre-disclosure handling of the potentially sensitive vulnerability details:
    • The vulnerability should have not already been publicly disclosed.
    • It is important to report the vulnerability as quickly as possible after its discovery.
    • Even after reporting the vulnerability, no information on the security problem should be shared with others until the incident has been processed and resolved. Failure to comply with this requirement may result in the reported being removed from the BU-CERT Hall of Fame.
  2. The vulnerability finding must be new to be considered as eligible for a mention in the Hall of Fame of BU-CERT. BU-CERT reserves the right to reject reports of vulnerabilities, which have already been previously reported.
  3. No automated scanning (acunetix, nessus, etc.) tools should be used as these risk causing impairment of the target.

Vulnerability reporting instructions:

  • E-mail your findings to cert (at) bournemouth.ac.uk
  • Include your social media (linkedin or twitter) handle from the outset. Anonymous reports are accepted but you will not be acknowledged in the Hall of Fame.
  • Encrypt your email using the PGP key available on BU-CERT website
  • Provide as much information as possible regarding the finding, in order for BU-CERT to handle the incident as efficiently as possible.

If more information is required, BU-CERT will contact the reporter, therefore any contact details (email address and telephone number) should be valid.