Responsible Vulnerability Reporting Standards

Responsible Vulnerability Reporting Standards

Overview

Harvard University appreciates the cooperation of and collaboration with security researchers in ensuring that its systems are secure through the responsible discovery and disclosure of system vulnerabilities.

Process

  1. Read the rules below and scope guidelines carefully before conducting research.

  2. Report vulnerabilities via email to security@harvard.edu.

  3. Harvard University IT will review, investigate, and validate your report. (Due to the number of reports that we receive, please allow four weeks before you contact us for an update.)

Please direct questions to security@harvard.edu.

Rules

In performing research, you must abide by the following rules:

  • Do not access or extract confidential information.

  • Do not perform social engineering or phishing.

  • Do not attempt to guess or brute force passwords. You may attempt the use of vendor supplied default credentials.

  • Do not perform denial of service or resource exhaustion attacks.

  • Do not make any changes to or delete data from any system.

  • If your finding requires you to copy/access data from the system, do not copy/access any non-public data or copy/access more than necessary. If one record is sufficient, do not copy/access more.

Violating any of these rules constitutes a violation of Harvard policies and in such an event the University reserves the right to take all appropriate action.

In-Scope / Eligible for Letter of Appreciation

A letter of appreciation may be provided in cases where the following criteria are met:

  • The vulnerability identified is new (not previously reported or known to Harvard University IT).

  • The vulnerability is on a system for which Harvard University is responsible.

  • The vulnerability is reproducible by Harvard University IT. Please provide a detailed report with steps to reproduce.

  • The vulnerability poses a moderate or higher risk as determined by Harvard University.

Out-of-Scope / Not Eligible for Letter of Appreciation

  1. Domains and subdomains not managed by Harvard University are out of scope. These include, but are not limited to, the following:

    • *.adsabs.harvard.edu

    • *.bidmc.harvard.edu

    • *.bwh.harvard.edu

    • *.cfa.harvard.edu

    • *.chandra.harvard.edu

    • *.childrens.harvard.edu

    • *.cxc.harvard.edu

    • *.dfci.harvard.edu

    • *.hsl.harvard.edu

    • *.joslin.harvard.edu

    • *.meei.harvard.edu

    • *.mgh.harvard.edu

    • *.rmf.harvard.edu

    • *.tch.harvard.edu

     

    We urge you to contact these organizations directly via their public contact information.


  2. The following commonly reported vulnerabilities are not eligible:

    • Cross Site Scripting blocked by browser features in Edge, Firefox, Chrome, and Safari

    • Host Header Injection redirects

    • POODLE SSL attacks and insecure TLS/SSL cipher suite reports


  3. Vulnerabilities rated P4 or P5 in the Bugcrowd vulnerability rating taxonomy are not eligible.