Skip to main content [フレーム]
Stanford University IT
  • Explore services
    • View all services
    • View services approved for High Risk Data
  • I want to ...
    • Use video conferencing tools
    • Get IT training
    • Create web forms and surveys
    • Set up email
    • Set up two-step authentication
    • Sponsor a SUNet ID
    • Get software
    • Connect to the network
    • Secure my mobile device
    • View website infrastructure options
    • Publish a website
    • Get started with IT at Stanford
  • Log into ...
    • Email and calendar
    • Zoom video conferencing
    • Medicine Box file storage
    • Mailing lists
    • Stanford Accounts
    • MyDevices
    • Qualtrics survey tool
    • Google Drive
    • Understanding single sign on
  • View alerts
  • Get support
    • Find answers
    • Report a security incident
    • Request something
    • Get help

Information Security

  • About Us
    • View all ISO services
    • Contact us
  • Guides
    • Data Security
    • Copyright infringement
    • File and data backup
    • High risk data in email
    • Identity theft
    • International travel
    • IT system administrator guidance
    • Password manager
    • Phishing awareness
    • Position papers
    • Protecting sensitive data
    • Responsible AI at Stanford
    • Third party security requirements
    • Other Stanford security resources
    • Device Security
    • Compliance exception
    • Encrypt your device
    • Mobile device security
    • View your Stanford-registered devices
  • Policies
    • Policies, Standards, and Guidelines Overview
    • Minimum Security Standards
    • Payment Card Industry (PCI)
    • Risk Classifications
    • Risk Classifications: Approved Services
  • Privacy
    • Data Risk Assessment (DRA)
    • HIPAA
    • FERPA
    • Monitoring Tools Privacy Information
    • University Privacy Office
  • Programs
    • Phishing Awareness Program
    • Bug Bounty Program
    • Vulnerability Disclosure Program
    • Cybersecurity and Privacy Festival
  • Security Alerts
    • Cybersecurity alerts and advisories
    • Service and Software Sunset Schedule

Vulnerability Disclosure Program

Policy & Guidance

Submit a Vulnerability

Environment Icon

Environment

To safeguard Stanford's electronic systems, networks, and data, the Stanford Security and Privacy offices have established a Vulnerability Disclosure Program, which encompasses clear policies and guidance for individuals who help identify, investigate, and resolve suspected or confirmed security vulnerabilities.

The Vulnerability Disclosure Program policy acknowledges and provides certain protections, within defined limitations, to Stanford faculty, staff, students, and others who report suspected security vulnerabilities encountered during their normal use of our systems and networks to the Stanford Information Security Office (ISO). Additionally, the Vulnerability Disclosure Program outlines the procedures for the appropriate discovery, reporting, investigation, and resolution of security vulnerabilities.

Stanford appreciates the cooperation and collaboration of security researchers in maintaining the security of its systems. Through responsible discovery and disclosure of system vulnerabilities, we can collectively ensure the integrity of our infrastructure.

​

Policy Icon

Policy

If a security vulnerability has been identified within a Stanford system or network, we ask the individual identifying the security vulnerability to immediately disclose relevant details to the Stanford Information Security Office. The Vulnerability Disclosure Program is not an invitation to scan Stanford's network or systems for vulnerabilities since we monitor our network ourselves.

Rules of Engagement icon

Rules of Engagement

  • Do not access or extract confidential information.
  • Do not perform social engineering or phishing.
  • Do not attempt to guess or brute force passwords, you may attempt vendor-supplied default credentials.
  • Do not perform denial of service or resource exhaustion attacks.
  • Do not use automated scanners.
  • If your finding requires you to copy/access data from the system, do not copy/access any non-public data or copy/access more than necessary.

Guidance icon

Guidance

How to report a security vulnerability

Disclosing or discussing a security vulnerability with anyone other than the Stanford Information Security Office can put Stanford systems, networks, data, and the Stanford community at risk. To ensure appropriate response and handling of security vulnerabilities, all reports or information regarding vulnerabilities should be immediately reported as follows:

To report security vulnerabilities within Stanford University systems or networks:

  • Submit a Help request.
  • If you are unable to submit a ticket for any reason, contact the Stanford Information Security Office via email at vulnerability-disclosure@lists.stanford.edu. Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability, if available.

Collaborate with Stanford to find security vulnerabilities

Any person who wishes to scan for or find security vulnerabilities within a Stanford system or network must first obtain written permission from the system and network owners. Advance notification gives system and network owners an opportunity to either deny permission or prepare for any unintended consequences of the security testing or investigation (e.g., unexpected load or non-routine calls being made to the system). Prior to attempting to actively scan for security vulnerabilities within any Stanford system or network, carefully follow the necessary protocols:

  • Contact the Stanford Information Security Office (via email to vulnerability-disclosure@lists.stanford.edu) to initiate the process and identify and facilitate necessary communication with other Stanford IT, privacy, and security personnel, as well as all affected systems and network owner(s).
  • Obtain permission from the system and network owners, and share that information with the Information Security Office. The system and network owners will have individual discretion in determining whether or not to grant permission or may revoke permission at any time if such use interferes with owners' use. This step is not necessary if an owner is attempting to identify security vulnerabilities in his or her own systems or networks.

​

Please do not make any findings (or related research or other documentation) public or share them with anyone until Stanford has had a chance to investigate and remediate the reported issues. Any identified security vulnerability may not be publicly disclosed before 180 days have elapsed from the time that the vulnerability was reported to Stanford University or until prior permission is received from Stanford University.

Services

  • Explore all services
  • Cloud Solutions Q&As
  • Practice secure computing
  • Work Anywhere Guide
  • IT perks

Support

  • Find answers
  • Request something
  • Get help
  • View system and project status
  • Browser recommendations
  • Tech Resources & Support (for students)

University IT

  • About us
  • Organization chart
  • Current job openings
  • UIT Annual Report

Connect

  • News
  • Recent Announcements
  • Events
  • Communities of Practice
  • UIT Community (UIT staff only)

UIT Web Editors

Login
Stanford University
  • Stanford Home
  • Maps & Directions
  • Search Stanford
  • Emergency Info
  • Terms of Use
  • Privacy
  • Copyright
  • Trademarks
  • Non-Discrimination
  • Accessibility

©Copyright Stanford University. Stanford, California 94305.

AltStyle によって変換されたページ (->オリジナル) /