Responsible Vulnerability Reporting Standards

Responsible Vulnerability Reporting Standards


Harvard University appreciates the cooperation of and collaboration with security researchers in ensuring that its systems are secure through the responsible discovery and disclosure of system vulnerabilities.


  1. Read the rules below and scope guidelines carefully before conducting research.

  2. Report vulnerabilities by filling out this form.

  3. Harvard University Information Technology (HUIT) will review, investigate, and validate your report. (Due to the number of reports that we receive, it can take up to four weeks to receive a response.)


In performing research, you must abide by the following rules:

  • Do not access or extract confidential information.

  • Do not perform social engineering or phishing.

  • Do not attempt to guess or brute force passwords. You may attempt the use of vendor supplied default credentials.

  • Do not perform denial of service or resource exhaustion attacks.

  • Do not make any changes to or delete data from any system.

  • If your finding requires you to copy/access data from the system, do not copy/access any non-public data or copy/access more than necessary. If one record is sufficient, do not copy/access more.

  • Do not publicly disclose vulnerabilities without explicit written consent from Harvard University.

Violating any of these rules constitutes a violation of Harvard policies and in such an event the University reserves the right to take all appropriate action.

Eligibility for Letter of Appreciation

A letter of appreciation may be provided in cases where the following criteria are met:

  • The vulnerability is in scope (see In-Scope Vulnerabilities).

  • The vulnerability is new (not previously reported or known to HUIT).

  • The vulnerability exists on a system that is directly managed by Harvard University (see Out-of-Scope Domains).

  • The vulnerability is reproducible by HUIT. Please provide a detailed report with steps to reproduce.

In-Scope Vulnerabilities

  • Operating-system-level Remote Code Execution
    • Proof of concept must include execution of the whoami or sleep command.

  • SQL Injection (involving data that Harvard University staff have identified as confidential)
    • Ideal proof of concept includes execution of the command sleep().

  • Use of vendor-supplied default credentials (not including printers)

  • Server-Side Request Forgery
    • Ideal proof of concept includes data collected from metadata services of cloud hosting platforms.

  • XML External Entity Injection
    • Proof of concept must include access to /etc/passwd or /windows/win.ini.

  • Authentication bypass

  • Insecure Direct Object Reference
    • Proof of concept must only target your own test accounts.

  • Subdomain Takeover
    • Proof of concept must include your contact email address within the content of the domain.

Other vulnerabilities with a CVSSv3 score rating above 7 will be considered. Please visit this calculator to generate a score.

Out-of-Scope Vulnerabilities

  • User enumeration of amplification from XML RPC interfaces (xmlrpc.php)

  • XSS (Cross-Site Scripting) without demonstration of how the issue can be used to attack a user or bypass a security control

  • Vulnerabilities that require social engineering or phishing

  • Disclosure of credentials that are no longer in use on active systems

  • Pay-per-use API abuse (e.g., Google Maps API keys)

  • Weak SSL or TLS cipher suites

  • Availability of a printer

  • Default credentials on printers

  • Banner-grabbed version numbers

  • Vulnerability scanner reports without demonstration of a proof of concept

  • Open FTP servers (unless Harvard University staff have identified the data as confidential)

  • URL or header-based redirect

  • All denial-of-service vulnerabilities

Out-of-Scope Domains

Domains and subdomains not directly managed by Harvard University are out of scope. These include, but are not limited to, the following:

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

  • *

We suggest you contact these excluded websites / organizations directly via their public contact information available on their respective websites.

Publish Date: April 2022