Responsible disclosure

At TU Delft, the security of our data and systems is important to us. Despite our care for the security of our systems, vulnerabilities and weak spots can still occur.

If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take action as soon as possible. We would like to work with you to better protect our users and our systems.

Our responsible disclosure policy is not an invitation to actively scan our university network to discover vulnerabilities. We monitor our corporate network and as a result, there is a high probability that a scan will be picked up, that our CERT will investigate, and that unnecessary costs may be incurred.

There is a chance that your finding may involve actions that are not permitted by law. If you have complied with the conditions below during you discovery, we will not take any legal action against you regarding the report. The Public Prosecutor's Office always retains the right to decide whether you will be criminally prosecuted.

What we ask of you:

  • Email your findings as soon as possible to abuse@tudelft.nl.
  • Not to exploit the vulnerability by, for example, downloading more data than necessary to demonstrate the leak or by changing or deleting data.
  • Not to share the vulnerability with others until we have indicated that the vulnerability has been fixed and may be shared.
  • Not use attacks on physical security or third-party applications, social engineering, distributed denial-of-service, or spam.
  • Provide sufficient information to reproduce the vulnerability so we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability and the actions taken is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 3 business days with our assessment of the report and an expected date for resolution.
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to fulfil a legal obligation.
  • We will keep you informed of the progress of resolving the vulnerability.
  • Anonymous or pseudonymous reporting is possible. It is good for you to know that this does mean that we cannot contact you about, for example, the next steps, progress of plugging the leak, publication or the possible reward for the report.
  • We might offer a reward for your discovery, but there is no absolute commitment to do so. Therefore, there is no automatic entitlement to compensation. The specific nature of any reward is not pre-established and will be decided by us on an individual basis. Whether or not we provide a reward, and its exact form, will depend on the thoroughness of your discovery, the quality of your report, and the seriousness of the vulnerability.
  • We strive to resolve all issues as quickly as possible, keep all parties involved informed, and we are happy to be involved in any publication about the vulnerability after it is resolved.