Vulnerability disclosure policy

We highly recommend to report all discovered vulnerabilities which help us to ensure the highest level of security of our systems and services.
Please report any vulnerability to Centre for Information Security at AGH University of Krakow.
You can report any vulnerability you discover in our systems by email us at security@agh.edu.pl. We recommend you send the report by using PGP.

Download PGP key 

To prove the detected vulnerability, please at least:

• indicating the IP address from which the vulnerability test was conducted, this will allow effective verification of the logs,
• describe in as much details as possible how the bug was discovered and the steps to reproduce it, such as taking screenshots of the gained access to the system and, if possible, documenting the various stages of the attack.

Our expectations:

• Act in ethic and law - reporting the vulnerability must not be motivated by financial benefits or other gratification. Granted access to the part of infrastructure or system cannot be used to breaking the law including stealing the data.
• Respect users privacy - contact us immediately if discovered vulnerability allows to gain access or modify our resources which might be used to violate users privacy (especially sensitive data) or other people whose data is processed.
• Cooperation - we will do our best to eliminate the discovered vulnerability as soon as possible. We may need additional information from you, so we would be grateful for the possibility of contacting you.

You must not:

• Break any applicable law or regulations.
• Perform modifications or actions resulting in the loss or leakage of data in our systems or services.
• Disrupt our services or systems, use high‐intensity invasive or destructive scanning tools to find vulnerabilities or attempt any form of denial of service.
• Social engineer, doing phishing attacks or physically attack our staff or infrastructure.
• Send spam.

You must always comply with data protection rules and must not violate the privacy of our users. We do not agree, for example, share, redistribute or fail to properly secure data retrieved from the systems or services granted by discovered vulnerability.

 

After receiving your report, we will:

• Confirm receiving your report within 7 calendar days.
• If there will be need we ask you for additional information.
• Upon analysis and confirmation the vulnerability we contact you and let you know how long we think the vulnerability will take to fix. Our aim is to fix vulnerabilities within 90 days (sometimes even faster), however it depends on the complexity of the vulnerability.
• If necessary, release information about the issue to the public to help others determine if they are affected by the vulnerability, so, what they need to do.
• Notify you when the vulnerability has been fixed.
• Review what went wrong and update our politics to prevent the occurrence of similar vulnerabilities in the future.
• Not to take legal action against you for accessing (or attempting to access) our systems, as long as this policy is followed and you do not did any damage.
• Treat your report and personal data as confidential and not pass onto any third parties without your permission.

The scope of the policy includes the agh.edu.pl domain and its subdomains with the ranges of IP addresses: 149.156.96.0/19 and 149.156.192.0/20.