Vulnerability Disclosure

The University of Victoria is committed to maintaining the security of our systems.  As a research intensive university, we very much value the work of security researchers and of our community in helping achieve this goal. We appreciate and encourage responsible reporting and disclosure of any security vulnerabilities.  Such disclosures help us to address vulnerabilities before bad actors can find and potentially exploit vulnerabilities.

A recent trend has been a dramatic increase in quantity and a decrease in the materiality of the typical submission. As a result, we no longer reply to every submission we receive.  Our commitment is to review every submission.  However, we are only able to reply in cases where we perceive a clear and present danger to our information.

Reporting Procedure

If you do become aware of a vulnerability, we request that you inform us via email to so that we can take corrective action. 

Your report should describe the attack scenario to explain why there is a risk, and provide clear steps to reproduce the issue.  Try to use your own words, and tailor your report to the system you found it in, rather than copying references from a scanning or vulnerability tool or website. Written reports and screenshots are generally preferred over videos.

Please note:

  • Do not exploit a vulnerability in order to find other vulnerabilities
  • Do not exfiltrate data in order to provide samples to us
  • We do not provide monetary rewards for finding vulnerabilities 

Thank you in advance for your submission. We appreciate your assistance in our security efforts to protect our community.

Out-of-Scope or Ineligible Items

  • SPF/DMARC/DKIM - e-mail authentication methods
  • Clickjacking (unless accompanied by substantial proof of concept)
  • CAA - DNS Certificate Authority Authorization
  • HSTS - HTTP Strict Transport Security
  • Host header injection, if impact is limited to redirecting your own traffic

University Policy References

The fact that we encourage responsible disclosure is not an invitation to misuse our information systems.  All UVic faculty, staff and students are reminded of their responsibilities outlined within the following policies:

  • Acceptable Use of Electronic Information Resources (IM7200)
  • Information Security Policy and related procedures (IM7800)
  • Protection of Privacy Policy and related procedures (IM7700)
  • Resolution of Non-Academic Misconduct Allegations (AC1300)