IT and Library Services

Responsible vulnerability disclosure

We value the work of security researchers in making our public facing websites and web applications more secure. We invite you to collaborate with us to enhance our security

IT security is embedded in our culture and within our governance, technology, applications and data. Our systems and services must be secure by design. We aim to identify and rectify any weaknesses that could compromise the integrity, availability, or confidentiality of any of our products, services, or systems.

If you find a security vulnerability in our publicly facing services, you can report it via our Responsible Vulnerability Disclosure program.

Reporting is subject to the terms and scope listed below. You must review and agree to them before attempting to test or report a vulnerability:

Scope

  1. Publicly Facing Websites and Web Applications:
    • All websites and web applications that are accessible over the internet and are owned, operated, or managed by the university.

Out of scope

The following are explicitly out of scope for this program:

  1. Internal Services:
    • Any internal systems, applications or services, including physical and wireless networks.
  2. Third-Party Services:
    • Services or applications that are not owned, operated, or managed by the university.
  3. Physical Security
    • Unauthorised access to physical locations or facilities, as well as tampering with or bypassing physical security measures.
  4. Social Engineering
    • Phishing, vishing, or any other form of social engineering attacks.

Examples of vulnerabilities in and out of scope

Examples of in-scope vulnerabilities

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity Injection (XXE)
  • Broken Authentication
  • Broken Access Control
  • Authorisation bypass/escalation
  • Sensitive information leaks
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

Examples of out-of-scope vulnerabilities

  • Any bug that does not pose a substantial or demonstrable security risk
  • Outdated software with no known exploits
  • Clickjacking, open redirects, cookie flags or lack of security headers
  • Denial of service (DOS)
  • Social engineering
  • Physical exploits of our servers or network
  • Local network-based exploits such as DNS poisoning or ARP spoofing

Reporting vulnerabilities to us

If you discover any vulnerabilities within the scope of this program you can report them through the following process:

  1. Submission:
    • Submit the vulnerability report through our designated vulnerability disclosure platform or email address.
    • Include detailed information about the vulnerability, including steps to reproduce or proof of concept, potential impact, and any relevant screenshots or logs.
  2. Acknowledgment:
    • We will acknowledge receipt of the vulnerability report.
  3. Assessment:
    • Our security team will assess the reported vulnerability to determine its validity and impact.
  4. Remediation:
    • If the vulnerability is confirmed, we will work to remediate the issue in a timely manner.
  5. Recognition:
    • If you report a valid vulnerability, you may be recognised for your contributions, subject to the university's policies and guidelines. See “what we’ll do” for further information.

Requirements

You must:

  • Respect privacy: If you encounter someone else’s data—whether personal or otherwise, such as usernames, passwords, or other credentials—contact us immediately. Do not save, store, or transmit this information.
  • Act in good faith: Report the vulnerability to us without attaching any conditions.
  • Collaborate with us: Report any findings promptly, cease testing after discovering the first vulnerability, and seek permission to continue.
  • Comply with the Data Protection legislation, applicable terms and conditions and all University of Greenwich Data Protection policies.

You must not:

  • Exploit a vulnerability—use a proof of concept to demonstrate a vulnerability.
  • Demand financial compensation or disclose identified vulnerabilities.
  • Exfiltrate data.
  • Use a vulnerability to disable further security controls.
  • Engage in social engineering.
  • Conduct any physical security testing.
  • Breach of any applicable laws or agreements with the University of Greenwich or third parties.

What we’ll do

We will acknowledge receipt of all vulnerability reports. We will recognise those who identify a valid vulnerability. Whilst we’re unable to offer financial reward, we endeavour to recognise individuals for their contribution. This may include but is not limited to publishing your name on our website and a letter of appreciation. It is at our discretion to determine which method of recognition shall be used.

To submit a vulnerability

After agreeing and following the steps above, you can submit the vulnerability report through our designated vulnerability disclosure platform or email address (vulnerabilityreports@greenwich.ac.uk)

In this section