Responsible disclosure of Vulnerabilities

At TU Delft, we take the security of our systems very seriously. Despite our efforts to secure our systems, vulnerabilities may still arise. 

If you have discovered a vulnerability in one of our systems, please let us know so we can take prompt action and work together to protect our systems better.

Our responsible disclosure policy is not an invitation to actively scan our university network for vulnerabilities. We monitor our business network, which increases the likelihood that a scan will be detected, leading to unnecessary costs for research by our CERT.

What we ask of you:

  • Email your findings to abuse@tudelft.nl as soon as possible.
  • Avoid exploiting the vulnerability, for example, by downloading more data than necessary to demonstrate the issue or by modifying or deleting data.
  • Refrain from sharing the vulnerability with others until we indicate that it has been resolved and may be disclosed.
  • Not engage in physical security attacks, third-party application attacks, social engineering, DDoS attacks, or spam.
  • Provide sufficient information to reproduce the vulnerability so we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are enough, but for more complex vulnerabilities, additional information may be needed.

 

If you follow the conditions outlined below, we will not take legal action against you in relation to your report. However, the Public Prosecution Service retains the right to decide whether to pursue criminal prosecution.

What we promise:

  • We will respond to your report within 3 working days with our assessment and an expected resolution date.
  • We will treat your report confidentially and will not share your personal details with third parties without your consent unless required to meet a legal obligation.
  • We will keep you updated on the progress of resolving the vulnerability.
  • Anonymous or pseudonymous reporting is possible, but this means we will not be able to contact you regarding next steps or potential rewards.
  • We offer the possibility of adding your name to our Hall of Fame for recognition, after reporting a valid and serious vulnerability.

Out of Scope:

Some vulnerabilities are automatically addressed in our patch cycles, resulting in a quick resolution. These do not need to be reported through our Responsible Disclosure program.

Examples of vulnerabilities that do not need to be reported include:

  • HTTP 404 pages or other HTTP codes that do not return a 200 status, as well as content spoofing or text injection on these pages.
  • Fingerprints and other methods of detecting versions that are publicly shared.
  • Clickjacking or vulnerabilities that can only be exploited through clickjacking.
  • Enabled HTTP OPTIONS method.
  • SSL configuration issues, such as no SSL forward secrecy enabled or weak cipher suites.
  • SPF, DKIM, DMARC issues.
  • Reporting outdated software versions without proof of concept or working exploit.

Reports that are considered beg bounties will not be processed or responded to.

We strive to resolve all issues as quickly as possible and keep all involved parties informed. We are happy to be involved in any publication about the vulnerability once it has been resolved.

Share this page: