Responsible Disclosure Process
January 10, 2019
CCS Information Security is committed to the continuous improvement of security on the University of Guelph network and strives to proactively identify and remove potential vulnerabilities before they can impact our community. While we have technology and processes in place to detect security vulnerabilities, we also recognize and value the important contributions of others that responsibly bring forward suspected issues and vulnerabilities to our attention.
A security vulnerability is a flaw in software that could allow a malicious user to gain access to information or functionality that they should not have access to. While actively seeking out security vulnerabilities on the University of Guelph network is a violation of the Acceptable Use Policy, we recognize that it is possible for vulnerabilities to be found during the normal course of operations on campus. If you suspect you have discovered a security vulnerability, help us protect the privacy of our community by letting us know. When in doubt, report it!
Information Security takes all vulnerability reports seriously and will investigate each one individually. We request that all communication regarding the vulnerability be kept confidential to allow us the opportunity to resolve the issue.
How to Submit a Vulnerability
Note that this process is not meant for reporting phishing or SPAM email. Please visit our phishing information page for more information on that process.
If you suspect you have discovered a security issue or vulnerability in a University of Guelph system, application, or website, please let us know by contacting the Information Security team.
When submitting a vulnerability, please provide as much detail as possible, including:
- The name of the affected server, application, or website
- A complete and clear description of the vulnerability and the environment with which it was discovered
- Detailed steps to reproduce the vulnerability
- Screenshots or video demonstrating the vulnerability
Information Security Response
Within 3 business days, Information Security will acknowledge your report, open a case within our ticket management system, and begin investigating. You may be contacted to provide additional information or clarification. Response time may vary due to many factors, however all reports will be reviewed based on severity, urgency, and potential impact.
We will be in communication with you to confirm the existence of the vulnerability and, if applicable, the associated plan for remediation. Upon remediation of the vulnerability, we will communicate the remediation to you.
Please note that all aspects of this process may be subject to change depending on the particular case and the discretion of the Information Security team.
CCS Information Security