Cybersecurity Vulnerability Disclosure

Users may encounter cybersecurity vulnerabilities when using Illinois systems or networks. It is important to disclose these to the Illinois Cybersecurity team right away. Compromises or other cybersecurity incidents should be reported immediately.

How to disclose a vulnerability

  • Please include the following information:
    • Detailed descriptions of your discovery with clear, concise, reproducible steps or a working proof-of-concept (POC). If applicable, please provide screenshots and/or videos. These can sometimes assist our team in reproducing the issue.
    • The impact of the vulnerability; if this bug were exploited, what could happen?
    • Additional related logs or supporting information
    • Recommended solution (optional, but appreciated)

The Illinois Cybersecurity team will review, investigate, and validate your report. Please allow four weeks before you contact us for an update.

Before attempting to test or report a vulnerability

You must:

  • Respect privacy. Contact us immediately if you access anyone else’s data – personal or otherwise. This includes usernames, passwords, and other credentials. You must not save, store or transmit this information.
  • Act in good faith. You should report the vulnerability to us with no conditions attached.
  • Work with us. Promptly report any findings to us, stop after you find the first vulnerability and request permission to continue testing.

You must not:

  • Perform any tests that will disrupt services or impair others’ ability to use them. This includes denial of service or resource exhaustion attacks.
  • Exfiltrate data – instead use a proof of concept to demonstrate a vulnerability
  • Use a vulnerability to disable further security controls
  • Execute any testing that may add, modify, update, or delete existing data.
  • Perform social engineering or phishing
  • Perform any testing of physical security
  • Break the law, or any agreements you may have with the University or third parties
  • Publicly disclose any vulnerabilities without explicit written permission from the Illinois Cybersecurity team
  • Attempt to brute force passwords
  • Use automated scanners

Examples of vulnerabilities to report:

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity injection (XXE)
  • Authorization bypass/escalation
  • Sensitive information leaks
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)

Examples of vulnerabilities NOT to report:

  • Any bug that does not pose a substantial or demonstrable security risk
  • Clickjacking, open redirects, or lack of security headers
  • Denial of Service (DOS)
  • Social engineering
  • Physical exploits of our servers or network
  • Local network-based exploits such as DNS poisoning or ARP spoofing
  • Cross Site Scripting blocked by browser features in Edge, Firefox, Chrome, and Safari
  • Vulnerabilities remediated by known vendor patches

Safe Harbor

When conducting vulnerability research within the terms of this program and Illinois IT policies, we consider such research to be: Lawful, helpful to Illinois Cybersecurity posture, and conducted in good faith.

  • Misuse of Illinois systems may result in loss of system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable policies, campus administrative manual, and the Student Code of Conduct, as well as personal civil and/or criminal liability.
  • You are expected, as always, to comply with all applicable laws.
  • If you have concerns or are uncertain whether your security research is consistent with the terms of this program, please email your question to securitysupport@illinois.edu.

Credits and Thanks

The University of Illinois thanks the following people for their help with vulnerability reports:

  • Aidan Glickman
  • Max Fan
  • Nathan Farlow
  • Vinit Lakra
  • Darshan Kiran Borole
  • Ryan Ziegler
  • Khaled M. Alshammri