Responsible disclosure

Contents

• Purpose
• Scope
• Reporting a vulnerability
• What you can expect from us
• Confidentiality

Purpose

Manchester Metropolitan University are committed to maintaining and continuously improving the security of our systems. We value the assistance of security researchers and others in the security community to assist in keeping our systems secure. This document aims to define a method by which the University can work with the security research community to improve our online security.  

Scope

• The mmu.ac.uk domain name and all subdomains of mmu.ac.uk.
• Any systems in use by the University.

Reporting a vulnerability

If you have discovered an issue that falls within the scope of this responsible disclosure policy such as, but not limited to, TLS configuration vulnerabilities or an indication that our services do not fully align with industry best practice, please email igincident@mmu.ac.uk and include:

• A description of the issue and where it is located – be as specific as possible.
• A description of the steps that led you to discover the issue.
• The entire URL (if applicable) and/or any IP addresses relevant to the vulnerability.
• Details of the affected platforms, components, operating systems and software versions.
• Any screenshots, including any log files (if applicable).
• Any reference to existing vulnerability information where relevant.

We ask that:

• You do not put any University data at risk, degrade performance of any of our systems, or conduct any form of attack.
• You act in a responsible manner and do not break any applicable laws.
• You alert us immediately if you can access anyone else’s data, personal or otherwise, including usernames or passwords. Please do not store, save or transmit this information.
• You do not attempt to prove any vulnerabilities. Any such action could be treated by the University as a potential misuse of the system and is therefore likely to lead to further action.
• You do not share vulnerability details except with the University Information Security team.
• You do not report generic vulnerabilities with no evidence of relevance to our systems.

What you can expect from us:

In response to any responsible disclosure, we will ensure that:

• Information you provide will be confidential, we will not share your data unless required by law.
• We keep you up to date with our progress and notify you when an issue is resolved.
• We will only ask you for any additional information if we need to investigate the issue further.
• Where necessary, a review will take place to update our practices to improve our security.

Confidentiality

Please treat in a confidential manner any information associated with University systems, staff or students that you may have acquired or that you have otherwise become aware of that is not publicly available. Please do not share it with anyone other than emailing it to igincident@mmu.ac.uk as part of your responsible disclosure.