Skip to main content

Report a vulnerability

The University of Victoria is committed to maintaining the security of our systems. We value the work of security researchers and our community in helping achieve this goal.

We appreciate and encourage responsible reporting and disclosure of any security vulnerabilities. Disclosures help us address vulnerabilities before they can be exploited.

Rules

The fact that we encourage responsible disclosure is not an invitation to misuse our information systems.

  • Do not exploit a vulnerability in order to find other vulnerabilities.
  • Do not extract data in order to provide samples to us.
  • We do not provide monetary rewards for finding vulnerabilities  .

Out of scope

  • SPF/DMARC/DKIM - email authentication methods
  • Clickjacking (unless accompanied by substantial proof of concept)
  • CAA - DNS Certificate Authority Authorization
  • HSTS - HTTP Strict Transport Security
  • Host header injection, if impact is limited to redirecting your own traffic
  • Broken social media links - please report these to socialmedia@uvic.ca 

Submit a report

To report a vulnerability, please email us at  vulnerabilities@uvic.ca

When submitting a report:

  • Describe the attack scenario to explain why there is a risk
  • Provide clear steps to reproduce the issue  
  • Try to use your own words instead of copying references from a scanning or vulnerability tool or website
  • Tailor your report to the system where you found the vulnerability
  • Written reports and screenshots are generally preferred over videos

Our commitment is to review every submission.  However, we are only able to reply in cases where we perceive a clear and present danger to our information.

Thank you in advance for your submission. We appreciate your assistance in our security efforts to protect our community.