Responsible Disclosure Policy

Type of Policy: 
Administrative
Effective Date: 
October 2015
Review Date: 
October 2018
Policy Owner: 
OIT-Information Security
Contact Name: 
Jimmy Lummis
Contact Title: 
Information Security Policy and Compliance Manager
Contact Email: 
jimmy.lummis@oit.gatech.edu
Reason for Policy: 
The Georgia Institute Of Technology (Georgia Tech or the Institute) recognizes that security vulnerability research takes place on campus both through sponsored research, internally initiated research, and informal research. In addition, system users often find security vulnerabilities incidentally during the course of some other activity. Georgia Tech is fully committed to the identification and remediation of security vulnerabilities within Institute systems and networks. For these reasons the Institute developed this Responsible Disclosure policy to address the need for an ethical way to identify and report security vulnerabilities within Georgia Tech systems and networks.
Policy Statement: 
Any individual that is attempting to identify a security vulnerability within a Georgia Tech system or network must first obtain permission from the appropriate system owner prior to engaging in any testing or investigation. The reason system owners must be made aware in advance is to give the system owner an opportunity to prepare for any negative consequences of the security testing or investigation. The system owner may choose not to grant permission or may revoke permission at anytime if such use interferes with owners use. The Georgia Tech CyberSecurity team is granted the right to perform vulnerability testing and investigation on Institute systems, networks, and users without obtaining explicit permission. Any system owner is granted the right perform vulnerability testing and investigation on their own systems without any outside permission. Once a security vulnerability has been identified within a Georgia Tech system or network, either through an approved investigation or incidentally, the person identifying the security vulnerability must disclose the security vulnerability to the Georgia Tech CyberSecurity team as soon as possible, but no later than 48 hours from the time the investigator is aware of the vulnerability. System owners are not required to disclose vulnerabilities identified in their own systems to Georgia Tech CyberSecurity. The identified security vulnerability may not be publicly disclosed until the Institute has had the opportunity to remediate or mitigate the identified security vulnerability, or permission is received from Georgia Tech CyberSecurity.
Scope: 
All employees, students, affiliates, contractors, consultants, vendors, or other Georgia Tech system and network users are covered by this policy. Georgia Tech systems and networks specifically provisioned for information security research are exempt from this policy.
Policy Terms: 

PGP
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting e-mails.

Publicly Disclosed
Posting vulnerability information to a public website or forum, publishing the vulnerability information in a paper or article, or any other form of communication to individuals other than the appropriate Georgia Tech system owner, Georgia Tech Cyber Security, or the software vendor.

Security Vulnerability
A security vulnerability is a weakness in a system or network that could allow an attacker to compromise the integrity, availability, or confidentiality of that system or network.

Procedures: 

Prior to attempting to identify security vulnerabilities within an Institute system:

  • To identify the appropriate system owner, please first contact the Georgia Tech CyberSecurity team via email at cyber@oit.gatech.edu
  • Obtain permission from the system owner. This step is not necessary if the system owner is attempting to identify security vulnerabilities in his or her own systems

If a vulnerability is identified inadvertently or incidentally:

  • Proceed to the next section and follow the procedures on reporting the vulnerability to Georgia Tech CyberSecurity

When reporting a security vulnerability:

  • Within 48 hours of discovering the security vulnerability, contact the Georgia Tech CyberSecurity team via encrypted email at vulnerability.reporting@gatech.edu using our PGP key (available on the public PGP servers and at http://security.gatech.edu/vulnerability-reporting).
  • Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability
  • If you are unfamiliar with PGP and encrypting email, then please email us at vulnerability.reporting@gatech.edu and DO NOT include details of the security vulnerability
  • Provide your contact information
Enforcement: 
Violations of this policy may result in loss of Georgia Tech system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech Employment policies and the Georgia Tech Student Code of Conduct, as well as personal civil and/or criminal liability. In addition, intentionally circumventing the security of a Georgia Tech system without permission is a violation of the following Computer and Network Usage and Security Policy, "Users are required to respect security measures implemented on Georgia Tech systems, networks, and applications".
Map of Georgia Tech

Compliance and Policy Management
760 Spring Street N.W. Suite 324
Phone: 404-385-0731