Users may encounter cybersecurity vulnerabilities when using Illinois systems or networks. It is important to disclose these to Technology Services right away. Please be aware that we do not offer compensation for vulnerability disclosures.
Compromises or other cybersecurity incidents should be reported immediately.
How to disclose a vulnerability
- Send an email security@illinois.edu
- Please include the following information:
- Detailed descriptions of your discovery with clear, concise reproducible steps or a working proof of concept. If applicable, please provide screenshots and/or videos. These can sometimes assist our team in reproducing the issue.
- The impact of the vulnerability: what could happen if this bug were exploited?
- Additional related logs or supporting information
- Recommended solution (optional, but appreciated)
We team will review, investigate and validate your report. Please allow four weeks before you contact us for an update.
Before attempting to test or report a vulnerability
You must:
- Respect privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords and other credentials. You must not save, store or transmit this information.
- Act in good faith. You should report the vulnerability to us with no conditions attached.
- Work with us. Promptly report any findings to us. Stop after you find the first vulnerability. Request permission to continue testing.
You must not:
- Perform any tests that will disrupt services or impair others’ ability to use them. This includes denial of service or resource exhaustion attacks.
- Exfiltrate data – instead use a proof of concept to demonstrate a vulnerability
- Use a vulnerability to disable further security controls
- Execute any testing that may add, modify, update, or delete existing data
- Perform social engineering or phishing
- Perform any testing of physical security
- Break the law, or any agreements you may have with the University or third parties
- Publicly disclose any vulnerabilities without explicit written permission from Technology Services
- Attempt to brute force passwords
- Use automated scanners
Examples of vulnerabilities to report:
- Remote Code Execution (RCE)
- SQL injection
- XML External Entity injection (XXE)
- Authorization bypass/escalation
- Sensitive information leaks
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Subdomain Takeover (must show impact)
- File Upload (must show impact)
- Server Side Request Forgery (SSRF)
- API Exploitation
Examples of vulnerabilities NOT to report:
- Any bug that does not pose a substantial or demonstrable security risk
- Clickjacking, open redirects, or lack of security headers
- Denial of Service (DOS)
- Social engineering
- Physical exploits of our servers or network
- Local network-based exploits such as DNS poisoning or ARP spoofing
- Cross Site Scripting blocked by browser features in Edge, Firefox, Chrome and Safari
- Vulnerabilities remediated by known vendor patches
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Information disclosure without demonstratable impact
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Missing best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Open redirect – unless an additional security impact can be demonstrated
- Clickjacking on non-sensitive action pages
- Missing best practices in SSL/TLS configuration
Safe Harbor
When conducting vulnerability research within the terms of this program and Illinois IT policies, we consider such research to be: Lawful, helpful to Illinois Cybersecurity posture, and conducted in good faith.
- Misuse of Illinois systems may result in loss of system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable policies, campus administrative manual and the Student Code of Conduct, as well as personal civil and/or criminal liability.
- You are expected, as always, to comply with all applicable laws.
- If you have concerns or are uncertain whether your security research is consistent with the terms of this program, please email your question to securitysupport@illinois.edu.
Credits and thanks
The University of Illinois thanks the following people for their help with vulnerability reports:
Users who disclosed in-scope vulnerabilities with demonstratable impact
- Aidan Glickman
- Max Fan
- Nathan Farlow
- Vinit Lakra
- Darshan Kiran Borole
- Ryan Ziegler
- Khaled M. Alshammri
- Justin Hu
- Dhaval Patel
- Harshit Kumar
- Mohammad Reza Omrani
- Biswajeet Ray
- Nitin Yadav
- Edward Li
- Amin Karami
Additional thanks
- Abdo Farg
- Nayeem Islam
- Yasser-Alenazi
- S.M Akees