Security and vulnerability disclosure
Maintaining the security of our network and the data we hold is important to us. This guidance should be followed by internal and external entities to safely report identified vulnerabilities to the University of Sheffield’s Information Security team.
If you believe you have discovered a security vulnerability in our systems, submit your report to the Information Security team - info-security@sheffield.ac.uk
This guidance applies to any systems directly owned by the University of Sheffield. If you are unsure whether a system is in scope, contact the Information Security team - info-security@sheffield.ac.uk.
This guidance primarily covers security vulnerabilities, however issues that may not be considered security vulnerabilities can still be reported. These might include largely non-exploitable vulnerabilities or configuration issues, such as:
- Missing security headers that may be best-practice but do not impact on the security of the system in this instance
- Support for older, but currently non-exploitable, protocols and cipher suites such as TLS 1.1
- Fingerprinting or version detection
- Out of date software, with no exploitable vulnerability
If we do not consider a submission to be a security vulnerability, we will respond and inform you of this.
What you can expect from us
- We will:
- Act in good faith
- Respond to and acknowledge your report within five working days
- Ask for any additional information we need to investigate your report
- Work with you to confirm the vulnerability, the extent to which it affects the University, and let you know how long we think the vulnerability will take to fix
- Notify you when the vulnerability has been fixed
- Where appropriate, release information about the issue to our members, partners, or the public, to help others determine if they are affected by the vulnerability, and if so, what they need to do
- Review what went wrong and update our practices and processes to improve our products and services
- Not take legal action against you for accessing (or attempting to access) our systems, as long as this guidance is followed and you do not cause foreseeable harm
- Treat your report as confidential, treat your data according to our data protection policies, and not pass your personal data onto any third parties without your permission
What we ask of you
If you believe you have discovered a security vulnerability in our systems, submit your report to the Information Security team - info-security@sheffield.ac.uk.
You can report something to us entirely anonymously. However, this may make it difficult for us to confirm the vulnerability and to acknowledge your efforts if we are unable to contact you.
- You must
If you believe you have discovered a security vulnerability in our systems, submit your report to the Information Security team - info-security@sheffield.ac.uk.
In all cases, you must:
- Act in good faith
- Promptly report any findings to us, stop after you find the first vulnerability and request permission to continue testing
- Report the vulnerability to us with no conditions attached
- Work with us
- Respect privacy
- Contact us immediately if you access anyone else’s data (personal or otherwise)
- This includes usernames, passwords and other credentials. You must not save, store or transmit this information
- Respect confidentiality
- Allow us a reasonable amount of time (at least 90 days) to investigate and resolve the vulnerability before publicly disclosing it. Do not share vulnerability information with other parties during this period
- You must not
If you want to actively test our systems for vulnerabilities, you must not:
- Perform testing likely to:
- provide you with access to someone else’s data
- delete, destroy or corrupt anyone else’s data
- affect other users - for example denial of service and brute-force attacks, or spamming
- Exfiltrate data - instead use a proof of concept to demonstrate a vulnerability
- Use a vulnerability to disable further security controls
- Use automated scanners or fuzzers
- Test systems outside the scope of this guidance
- Perform social engineering
- Perform any testing of physical security
- Break the law, or any agreements you have with the University of Sheffield or third parties
- Perform testing likely to:
Acknowledgement and recognition
Where appropriate, we will provide recognition of your efforts with public credit published on our website.
Our thanks for discovering security vulnerabilities go to:
- Adrian Tirado Garcia
- Ahmad Alassaf
- AKHIL C.D. (akhil-c-d-661abb292)
- Charlie Moorton
- Chinmaya Rana
- Dinesh Narasimhan
- Durvesh Kolhe
- Gaurav Pawar
- Geethu Sivakumar
- Gurudatt Choudhary
- Harsh Sanghvi
- Harsh Sharma
- Harshit Kumar
- Infoziant Security
- Mahbob Alam
- Mahbub Rahman Sharaf
- Mohamed Akees
- Nazmul Haque Jowel
- Parag Bagul
- Parth Narula
- Rajkumar Shanmugam
- Sakil Hasan Saikat
- Shivam Dhingra
- Sourabh Mishra
- Takshal Patel
The University does not have a bug bounty program, or other financial rewards.
Supporting documentation
Supporting policies for the guidance listed above can be found on the Information Security policies page (student or staff login required).
Information Security Incidents can be reported via the Information Security Incident Reporting page.
Feedback
If you have any security related questions or feedback, email: info-security@sheffield.ac.uk
Reporting cyber and information security incidents
Monday to Friday, 8am to 5pm
All incidents involving actual or potential breaches of Information Security must be reported to the IT Service Desk on +44 (0)114 222 1111 via phone or chat. Reports must not be submitted by voicemail or email and must be acknowledged in real time.
Out of hours
Outside of normal working hours incidents should be reported to University Security on +44 (0)114 222 4085. This service is available 24 hours a day, 7 days a week, 365 days a year. Reports must not be submitted by voicemail or email and must be acknowledged in real time.