Vulnerability Disclosure

The University of Victoria is committed to maintaining the security of our systems.  As a research intensive university, we very much value the work of security researchers and of our community in helping achieve this goal.   We appreciate and encourage responsible reporting and disclosure of any security vulnerabilities that may impact the confidentiality, integrity, or availability of our systems. 

Reporting Procedure

If you do become aware of a vulnerability, we request that you inform us via email to so that we can take corrective action.  Please note:

  • Do not exploit a vulnerability in order to find other vulnerabilities
    • If you would like to explore a vulnerability further, report it to us via email to and request permission to probe it further
  • Do not exfiltrate data in order to provide samples to us
  • We do not provide monetary rewards for finding vulnerabilities but will publicly thank and acknowledge individuals upon request (see below)

Your report should provide clear steps to reproduce the issue and describe the attack scenario to explain why there is a risk. Try to use your own words, and tailor your report to the system you found it in, rather than copying references from a scanning or vulnerability tool or website. Written reports and screenshots are generally preferred over videos.

Thank you in advance for your submission and quality report. We appreciate your assistance in our security efforts to protect our community.

University Policy References

All UVic faculty, staff and students are reminded of their responsibilities outlined within the following policies:

  • Acceptable Use of Electronic Information Resources (IM7200)
  • Information Security Policy and related procedures (IM7800)
  • Protection of Privacy Policy and related procedures (IM7700)
  • Resolution of Non-Academic Misconduct Allegations (AC1300)

Out-of-Scope or Ineligible Items

  • SPF/DMARC/DKIM - e-mail authentication methods
  • Clickjacking (unless accompanied by substantial proof of concept)
  • CAA - DNS Certificate Authority Authorization
  • HSTS - HTTP Strict Transport Security

Acknowledgements

The University of Victoria would like to thank the following people for helping improve the security of our systems in a responsible manner:

  • Aamir Ahmad
  • Abdullah Al Mamun
  • Akhil Sabu
  • Akshay Ravi
  • Anon Tuttu Venus
  • Antonio Cannito
  • Ashish Halle
  • Ayan Saha
  • Badal Sardhara
  • Bhargab Kaushik
  • Bindiya Sardhara
  • Chandan Rai
  • Chandula Kodituwakku
  • Divya Singh
  • Gourab Sadhukhan
  • Haider Kareem
  • Hamoud Al-Helmani
  • Harshit Rastogi
  • Kirankumar Subuddi
  • Khun Myat
  • Malkit Singh
  • Mohd.Danish Abid
  • Mohd Mubin Girach
  • Mohit Khemchandani
  • Mustafa Diaa
  • Nayanjyoti Roy
  • Pranav Gajjar
  • Pritam Mukherjee
  • Raajesh G
  • Samanvai Chandra
  • Samprit Das
  • Sankarraj Subramanian
  • Santosh Kumar Sha
  • Saurabh Bhosale
  • Saurabh Shinde
  • Sergi Lacroute
  • Sheinn Khant
  • Shripad Rachha
  • Souvik Mondal
  • SAKW_Team
  • Tamim Hasan
  • Tushar Vaidya
  • Vedant Shinde
  • Vedant Tekale
  • Vikas Srivastava
  • Virendra Tiwari
  • Vishal Saini
  • Vishnu S. Jariwala
  • Vishnujith K.P
  • Vivek Panday
  • Vivek Sharma
  • Xiangwen (Evan) Yu
  • Yash Dharmani