Vulnerability disclosure policy

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.

We do not offer a bug bounty program or monetary rewards for responsible disclosures and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

If you are an AGH employee or PHD student please contact Cybersecurity Department before you take any actions which are included to this document.

Testing vulnerabilities

We highly recommend to report all discovered vulnerabilities which help us to ensure the highest level of security of our systems and services.

Please report any vulnerability to Cybersecurity Department at AGH University.

You can report any vulnerability you discover in our systems by email us at bezpieczenstwo@agh.edu.pl. We recommend you send the report by using PGP/GPG:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGIiE5kBDADgJanf5xqBpG5Y0OB7EgsaobLDNimUg/kYLKI8uMYqmhniu417
T4COVP227pUBTSxfAR/vdXbuZG/p7EXuCURwYEeKbK/A1EbpBBeerUuJ4qS/H7bp
k+d6o8IjjqZ5fr48CCDcbtUJgKnQubzNYm1MaAnI39Ts2zbf2mlbsY/Twf0Khhz+
dcu/vYOcoGQnsm+LcIEI/nWXf4ydcll9+ETDoPa7l3j9No1pxoWcCnE8GD/9gaX4
nxfYT2G8CttwK3Ra0PqoQywvHiRVTAGjKewlwsqrJHSe+SaZJgJGdxlxO5Q6tG6P
Ir5zypdpkVWaO+Vi49ERHMTkD5ypPlpfmGL8ieZLSD5WuaNBS1cM7Q+7a2ko8sSW
REIzSWjka7p3AjS8QOsxor38TunBcbUFI7GtAiF+KE9b5BNrLNjGyAfQYWgtNQb9
p1xg7lsLuCrGW4hryBK/triUJNVDnLKnMwKAjwiuMksOlXg106zRIImhWcqcD0eO
iSt0wYTosGtv1U0AEQEAAbQuQmV6cGllY3plbnN0d28gQUdIIDxiZXpwaWVjemVu
c3R3b0BhZ2guZWR1LnBsPokBzgQTAQoAOBYhBKyeycJz2eZ3+/aIRT87Q+ytJlPZ
BQJiIhOZAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJED87Q+ytJlPZDrUM
ANKVRz0laHoBHp0Cuh2BeAA3uk6DTszJqy93Lvj7HNMzUdJpzWqRPFZ7O72Wi/Ui
mSRYHKwHrZLrg/jbMovvao5WaGzn+V/9OM+9trEGD/SOY1wGwnHWSXK3HzdMoQtw
arhqDQ9xThu7shDP/i3GZL16o42GD4bzGk6TkRehZuZHz7j6Uh0fQX+Hjg2I2Osw
/nnrGvOCfb7v7kXJhdKU3TW5eA6LdR7hh9jJ6JpWCBkhESQFHxgTVs1W8xsy3FjC
ZIkJsrn1jRPpOjIIKznlxFXFBMPVfSmbDq3REHqqFxyQekjbpGr6yPh/U36Z+tcO
R4N7uDNTX7PC3qG1RkCnemiAIDATMcm1tW5HnFDKXWSKNji+24PBfN6NYhgp6Yku
BUDQPjnAJ0qYz0fiOhUroISlvpZJTUa/RWBN/HzQOTIdRhLCZvkz7/kHxiJbmyEN
NRAMbd6ZZY9Z+MDPeR/kNYsJGFtNa5ceyDR2YFLDX0OPSbH7jOBtGCzjFOfVznTu
frkBjQRiIhOZAQwAq8xzm4wHemGhkIHDLepKB82+KRqaFMoJH8ULx2TWqDgq6C9t
i80blA+g6XcADLW92RTqXDu8ZkMcWiRy1vlJS4mtGQhMUDvBjMe2EtBvY/eB0zq4
qe9k5meXvxDaWxRiTXb9sJnHXsmEP26GN+vmFMZB/T3CUlAJ084njEqBMPpXIPIl
47pMt0RafNvq/MX7CtIDTOxvOtFsDBY+5hWDGok/Jl4uBo+IBNbsEWXJPbM234Ie
vQAcD+e4ok/C4W4Zm2rjJvU+Sj5DmaKvBkQMJVVKjiTEeTsDHIVazh2aiazk7GtL
svuDrO4WRvWiTsA1t5ULs85rNWlQUIRPVy4gEvH3K0UK3pvcTPpTuvIWZKMw+a1r
jNHwZW0z+hsZgoJIOiQXuE44AX7RiqLKICgCgRD77NipUcldUaCOGZhBTPjJRIh9
6KXCDiwlklPCwrZc2mJeDzfQL7r1GwlvfhHthNYb9wPWKGyotD/tJO8fiv64lNLZ
GbFyAg7baPI88vrlABEBAAGJAbYEGAEKACAWIQSsnsnCc9nmd/v2iEU/O0PsrSZT
2QUCYiITmQIbDAAKCRA/O0PsrSZT2VF6DADQaOBJkPQ6bYmokdPAA8TqBlqvC4JB
PvdOD7WdLz005ksb+uUiPFynlXFs9RdOSnPwwx/QyjhDtV63h4jLANLUfUaudBQQ
oSX2AydQCH5bCAFNh6ccyR4qBwuUG0z3ZLnbzRmBuYHdwHmkY6r4OT5PTw+cUm5M
UFu8E6uZGWejwDaBagHDv0rvCURIaqIdG0Ow2Qpaq8iX97tIh/NJSmb+oDqKLmpV
JU9LPfq622f7MmOSj7CwGdJGkqwyjunTuZtOFut+wPMn2pkpc55mkt29vN5aJUqX
jP9P3QUyQnCzEiWGIuERkctkcLNEeQN1ClOAltzm6FUCU5uQgJaTPdl2X5z7roLj
/xy1oCEZbaBKZ1NUgkfSramsk1C7VULhdyBh7A26RSABaxM8L/2MZMDop+M5hkN6
aA0xN9A3tk3ewdx6Dp/zGmPgyB+J76gJLLe+wG3Vzders36o11NcIjazRI+nSwGn
PqCT8qO+n60hgWy5Xuyq1IRdvVJbADcFpOM=
=q1wx
-----END PGP PUBLIC KEY BLOCK-----

Your report should include (at least) details of: 

  • The IP where the vulnerability can be observed it allow to verify logs,
  • Detailed description of discovering vulnerability which contains steps to reproduce it, e.g. screenshot of system accessed, step-by-step guide of attack.

Discovering vulnerability

Our expectations:

  • Act in ethic and law - reporting the vulnerability must not be motivated by financial benefits or other gratification. Granted access to the part of infrastructure or system cannot be used to breaking the law including stealing the data.
  • Respect users privacy - contact us immediately if discovered vulnerability allows to gain access or modify our resources which might be used to violate users privacy (especially sensitive data) or other people whose data is processed.
  • Cooperation - we will do our best to eliminate the discovered vulnerability as soon as possible. We may need additional information from you, so we would be grateful for the possibility of contacting you.

You must not:

  • Break any applicable law or regulations.
  • Try to corrupt or modifying or cause data leakage on our systems or services.
  • Disrupt our services or systems, use high‐intensity invasive or destructive scanning tools to find vulnerabilities or attempt any form of denial of service.
  • Social engineer, doing phishing attacks or physically attack our staff or infrastructure.
  • Send spam.

You must always comply with data protection rules and must not violate the privacy of our users. We do not agree, for example, share, redistribute or fail to properly secure data retrieved from the systems or services granted by discovered vulnerability.

What we will do?

After receiving your report, we will:

  • Confirm receiving your report within 7 calendar days.
  • If there will be need we ask you for additional information.
  • Upon analysis and confirmation the vulnerability we contact you and let you know how long we think the vulnerability will take to fix. Our aim is to fix vulnerabilities within 90 days (sometimes even faster) of confirmation however it depends on the complexity of the vulnerability.
  • If necessary, release information about the issue to the public to help others determine if they are affected by the vulnerability, so, what they need to do.
  • Notify you when the vulnerability has been fixed.
  • Review what went wrong and update our politics to prevent the occurrence of similar vulnerabilities in the future.
  • Not to take legal action against you for accessing (or attempting to access) our systems, as long as this policy is followed and you do not did any damage.
  • Treat your report and personal data as confidential and not pass onto any third parties without your permission.

Policy scope

The scope of the policy includes the agh.edu.pl domain and its subdomains with the ranges of IP addresses: 149.156.96.0/19 and 149.156.192.0/20.