Responsible Disclosure Standard
Table of Contents
1. Purpose and Background
2. Standards
a. Intentional Testing
b. Incidental Discovery
c. What is non-responsible disclosure?
d. Required Reporting
3. Definitions
4. Related Links
5. Exceptions
REVISION HISTORY: (New on 8/3/2021)
1. Purpose and Background
University Information Security (InfoSec) recognizes that during the course of research or general use of IT resources, users may discover vulnerabilities. The Acceptable Use of the University's Information Technology Resources (IRM-002) policy states that users of University information technology (IT) resources are required to use the University’s IT resources in an ethical, professional, and legal manner.
InfoSec wants to encourage users to disclose vulnerabilities in this manner. This standard establishes the types of reports considered to be responsible disclosure and how to report them.
2. Standards
The University acknowledges two types of responsible disclosure: intentional testing and incidental discovery. This standard does not apply to Information Security initiated penetration testing (PEN testing). Other units who want to conduct a pen test or search for vulnerabilities must follow the requirements of this standard.
Intentional Testing
In order for a vulnerability to be responsibly disclosed under intentional testing, the following must be true:
- At least five business days prior to testing or searching for a vulnerability, testers must email InfoSec at [email protected] to describe their proposed testing.
- The tester receives written approval to proceed. Information Security may revoke permission to proceed at any time before testing.
- During testing, the tester must not exploit the vulnerability in a way that either impacts University operations or causes an unauthorized exposure or alteration of data.
- If a vulnerability is found or suspected, it is reported to InfoSec within twenty-four hours of discovery.
Discovery of a vulnerability that does not meet these four criteria may still be considered responsible disclosure. Such decision is at the sole discretion of the Chief Information Security Officer (CISO).
Incidental Discovery
InfoSec requires the reporting of vulnerabilities a user discovers. At the same time, it recognizes the need to protect the integrity of the University’s IT resources. In order for a reported vulnerability to be responsible disclosure under incidental discovery, the following conditions must be true:
- The user reports it to InfoSec within twenty-four hours of discovering the vulnerability.
- The incidental discovery is encountered as part of the user’s role and responsibilities at the University.
- The user does not exploit the vulnerability for any reason, including attempts to test it, without written approval from InfoSec.
Discovery of a vulnerability that does not meet these three criteria may still be considered incidental discovery. Such decision is at the sole discretion of the Chief Information Security Officer (CISO).
What is non-responsible disclosure?
Non-responsible disclosure includes, but is not limited to, the:
- disclosure of vulnerabilities to others instead of solely to InfoSec,
- exploitation of vulnerabilities,
- exploration of vulnerabilities without written approval from InfoSec,
- delayed reporting of vulnerabilities.
Compliance: Such activity can compromise the confidentiality, integrity, and availability of UVA IT resources and data. Therefore, the failure to comply with the requirements of this standard may result in the limitation or revocation of access to University IT resources. In addition, failure to comply may also result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies. Violation of this standard may also violate federal, state, or local laws.
Required Reporting
Users who suspect or know of vulnerability must report the incident at the "Reporting a Security Incident” website (preferred) or by telephoning (434) 924-4165 within one (1) hour from the time the vulnerability is identified or suspected.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Data Protection of University Information (IRM-003)
- Information Security of University Technology Resources (IRM-004)
- Reporting an Information Security Incident Standard
- Reporting an Information Security Incident Procedure
- Report an Information Security Incident
5. Exceptions
If you cannot meet this standard’s requirements, you must use the policy exception request process.