Responsible Disclosure Policy

At the University of Klagenfurt, we place the highest priority on the safety of our systems and products.

Despite the considerable attention we devote to our technologies, vulnerabilities may still occur. If you discover any vulnerabilities relating to IT systems and web applications at the University of Klagenfurt, please let us know.

We will take immediate action to rectify the weakness identified as quickly as possible.

Please note that the university is a public institution and we therefore cannot offer anything in return for your efforts (bug bounty programme).

How to report a vulnerability

Please seek information in advance to determine which incidents do not fall within the scope of our Responsible Disclosure Policy (RDP) and which are not dealt with in this context.
Contact the university’s IT Security Officer at responsible-disclosure [at] aau [dot] at.
Please notify us of the time, place and manner in which the vulnerability or problem occurs. We can only reproduce and analyse the vulnerability or problem if we have sufficient information (a written description including screenshots). Do not, however, exfiltrate data in order to provide us with samples.
Please provide your contact details (e-mail) in case we have any queries.

Which incidents do NOT fall within the scope of the Responsible Disclosure Policy (Out of Scope)?

The following incidents do not fall within the scope of the Responsible Disclosure Policy and are consequently not handled in accordance with this policy:

Physical attacks against data centres or the organisation’s property
Social engineering attacks targeting employees or customers (for example: falsifying login pages, customer service, social media)
Distribution of spam
Denial of service attacks
Missing HTTP security headers without specific effects
Errors that can only be exploited by clickjacking
Self-XSS
Vulnerabilities that require improbable user interaction (for example: deactivation of browser protection measures)
Disclosure of information that is marked as public
Attacks requiring a man-in-the-middle
Invalid social media links (please report these to webredaktion [at] aau [dot] at).

How does the University of Klagenfurt deal with a reported vulnerability?

We will send you an acknowledgement to confirm receipt of your notification.
We will validate your report on the vulnerability described and will take immediate action to address the vulnerability identified as swiftly as possible.
We will treat your report confidentially and will not disclose your personal data to third parties without your consent.
We will inform you promptly about the results of our analysis and any action taken.

We request that you

use your knowledge of the vulnerability responsibly and do not pass on any information about the vulnerability to third parties or institutions unless this has been expressly authorised by the University of Klagenfurt;
do not exploit a vulnerability for the purpose of finding other vulnerabilities or, for example, by downloading, modifying or deleting data or uploading code;
do not carry out attacks in an attempt to compromise, change or manipulate our IT systems, infrastructure or people;
do not perform any social engineering (e.g. phishing), (distributed) denial of service, spam or other attacks on the University of Klagenfurt.

Thank you in advance for bringing this matter to our attention. We appreciate your support as we continue our safety efforts to protect our community.

Contact

responsible-disclosure [at] aau [dot] at