Skip to main content

Vulnerability Disclosure Program

Policy & Guidance

Environment Icon

Environment

To safeguard Stanford's electronic systems, networks, and data, the Stanford Security and Privacy offices have established a Vulnerability Disclosure Program, which encompasses clear policies and guidance for individuals who help identify, investigate, and resolve suspected or confirmed security vulnerabilities.

The Vulnerability Disclosure Program policy acknowledges and provides certain protections, within defined limitations, to Stanford faculty, staff, students, and others who report suspected security vulnerabilities encountered during their normal use of our systems and networks to the Stanford Information Security Office (ISO). Additionally, the Vulnerability Disclosure Program outlines the procedures for the appropriate discovery, reporting, investigation, and resolution of security vulnerabilities.

Stanford appreciates the cooperation and collaboration of security researchers in maintaining the security of its systems. Through responsible discovery and disclosure of system vulnerabilities, we can collectively ensure the integrity of our infrastructure.

Policy Icon

Policy

If a security vulnerability has been identified within a Stanford system or network, we ask the individual identifying the security vulnerability to immediately disclose relevant details to the Stanford Information Security Office. The  Vulnerability Disclosure Program is not an invitation to scan Stanford's network or systems for vulnerabilities since we monitor our network ourselves.

Rules of Engagement icon

Rules of Engagement

  • Do not access or extract confidential information.
  • Do not perform social engineering or phishing.
  • Do not attempt to guess or brute force passwords, you may attempt vendor-supplied default credentials.
  • Do not perform denial of service or resource exhaustion attacks.
  • Do not use automated scanners.
  • If your finding requires you to copy/access data from the system, do not copy/access any non-public data or copy/access more than necessary.

Guidance icon

Guidance

How to report a security vulnerability

Disclosing or discussing a security vulnerability with anyone other than the Stanford Information Security Office can put Stanford systems, networks, data, and the Stanford community at risk. To ensure appropriate response and handling of security vulnerabilities, all reports or information regarding vulnerabilities should be immediately reported as follows:

To report security vulnerabilities within Stanford University systems or networks:

  • Submit a Help request.
  • If you are unable to submit a ticket for any reason, contact the Stanford Information Security Office via email at vulnerability-disclosure@lists.stanford.edu. Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability, if available.

Collaborate with Stanford to find security vulnerabilities

Any person who wishes to scan for or find security vulnerabilities within a Stanford system or network must first obtain written permission from the system and network owners. Advance notification gives system and network owners an opportunity to either deny permission or prepare for any unintended consequences of the security testing or investigation (e.g., unexpected load or non-routine calls being made to the system). Prior to attempting to actively scan for security vulnerabilities within any Stanford system or network, carefully follow the necessary protocols:

  • Contact the Stanford Information Security Office (via email to vulnerability-disclosure@lists.stanford.edu) to initiate the process and identify and facilitate necessary communication with other Stanford IT, privacy, and security personnel, as well as all affected systems and network owner(s).
  • Obtain permission from the system and network owners, and share that information with the Information Security Office. The system and network owners will have individual discretion in determining whether or not to grant permission or may revoke permission at any time if such use interferes with owners' use. This step is not necessary if an owner is attempting to identify security vulnerabilities in his or her own systems or networks.

Please do not make any findings (or related research or other documentation) public or share them with anyone until Stanford has had a chance to investigate and remediate the reported issues. Any identified security vulnerability may not be publicly disclosed before 180 days have elapsed from the time that the vulnerability was reported to Stanford University or until prior permission is received from Stanford University.