Responsible Disclosure Policy

Responsible Disclosure Policy
Type of Policy
Administrative
s1polics Thu, 06/25/2015 - 15:47
Effective Date:
Last Revised:
Review Date:
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech or the Institute) recognizes that security vulnerability research takes place on campus both through sponsored research, internally initiated research, and informal research. In addition, system users often find security vulnerabilities incidentally during the course of some other activity. Georgia Tech is fully committed to the identification and remediation of security vulnerabilities within Institute systems and networks. For these reasons the Institute developed this Responsible Disclosure policy to address the need for an ethical way to identify and report security vulnerabilities within Georgia Tech systems and networks.

Policy Statement

Any individual that is attempting to identify a security vulnerability within a Georgia Tech system or network must first obtain permission from the appropriate system owner prior to engaging in any testing or investigation. The reason system owners must be made aware in advance is to give the system owner an opportunity to prepare for any negative consequences of the security testing or investigation. The system owner may choose not to grant permission or may revoke permission at any time if such use interferes with owners use. The Georgia Tech CyberSecurity team is granted the right to perform vulnerability testing and investigation on Institute systems, networks, and users without obtaining explicit permission. Any system owner is granted the right perform vulnerability testing and investigation on their own systems without any outside permission. Once a security vulnerability has been identified within a Georgia Tech system or network, either through an approved investigation or incidentally, the person identifying the security vulnerability must disclose the security vulnerability to the Georgia Tech Cyber Security team as soon as possible, but no later than 48 hours from the time the investigator is aware of the vulnerability. System owners are not required to disclose vulnerabilities identified in their own systems to Georgia Tech Cyber Security. The identified security vulnerability may not be publicly disclosed before 180 days have elapsed from the time that the vulnerability was reported to Georgia Tech Cyber Security or until permission is received from Georgia Tech Cyber Security.

Scope

All employees, students, affiliates, contractors, consultants, vendors, or other Georgia Tech system and network users are covered by this policy. Georgia Tech systems and networks specifically provisioned for information security research are exempt from this policy.

Policy Terms

PGP
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting e-mails.

Publicly Disclosed
Posting vulnerability information to a public website or forum, publishing the vulnerability information in a paper or article, or any other form of communication to individuals other than the appropriate Georgia Tech system owner, Georgia Tech Cyber Security, or the software vendor.

Security Vulnerability
A security vulnerability is a weakness in a system or network that could allow an attacker to compromise the integrity, availability, or confidentiality of that system or network.

Procedures

Prior to attempting to identify security vulnerabilities within an Institute system:

  • To identify the appropriate system owner, please first contact the Georgia Tech CyberSecurity team via email at ask@security.gatech.edu
  • Obtain permission from the system owner. This step is not necessary if the system owner is attempting to identify security vulnerabilities in his or her own systems

If a vulnerability is identified inadvertently or incidentally:

  • Proceed to the next section and follow the procedures on reporting the vulnerability to Georgia Tech CyberSecurity

When reporting a security vulnerability:

  • Within 48 hours of discovering the security vulnerability, contact the Georgia Tech CyberSecurity team via encrypted email at vulnerability.reporting@gatech.edu using our PGP key (available on the public PGP servers and at https://security.gatech.edu/report-vulnerability).
  • Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability
  • If you are unfamiliar with PGP and encrypting email, then please email us at vulnerability.reporting@gatech.edu and DO NOT include details of the security vulnerability
  • Provide your contact information
Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech Employment policies and the Georgia Tech Student Code of Conduct, as well as personal civil and/or criminal liability. In addition, intentionally circumventing the security of a Georgia Tech system without permission is in violation of Georgia Tech’s Cyber Security policies.