Bug Bounty Program

University of Nebraska Bug Bounty program

 

University of Nebraska is committed to ensuring that all academic, research, and service activities are carried out in the safest way, guaranteeing the confidentiality, integrity and availability of the information. The University of Nebraska Bug Bounty program is an experimental program aiming to improve UN's online security, intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Here you will find information about what systems and types of research are covered, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.

The primary source for this document is the Department of Homeland Security's Vulnerability Disclosure Policy Template.

Authorization

If you make a good faith effort to comply with this document during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and University of Nebraska will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this document, we will make this authorization known.

Guidelines

In this program "research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test methods

The following activities are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Any activity related to university medical data or services is prohibited and could result in disciplinary/legal actions.
  • Local network-based exploits such as DNS poisoning or ARP spoofing
  • Social engineering

Scope

This program is limited only to following systems and services:

  • *.nebraska.edu
  • *.unk.edu
  • *.unl.edu
  • *.unomaha.edu

In-Scope vulnerabilities

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity Injection (XXE)
  • Authorization bypass/escalation
  • Sensitive information leaks
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)

Out-of-Scope vulnerabilities

  • Any bug that does not pose a substantial or demonstrable security risk
  • Clickjacking, open redirects, or lack of security headers
  • Other methods not authorized in "Test methods"

Reporting a vulnerability

We accept vulnerability reports via its-sec@nebraska.edu. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
We do not support PGP-encrypted emails.

What we would like to see from you


In order to help us triage and prioritize submissions, we recommend that your reports:

  •     Describe the location the vulnerability was discovered and the potential impact of exploitation.
  •     Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
  •     Be in English, if possible.

What you can expect from us

  • When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
  • Within 3 business days, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to its-sec@nebraska.edu. We also invite you to contact us with suggestions for improving this policy.

Hall of Fame

On behalf of our students, all University Staff and especially our IT crew, we would like to express our gratitude to the following people for making a responsible disclosure to us and helping make University of Nebraska services more secure.

  • 2021

    • Nayanjyoti Roy ★

  • 2023

    • Gaurang Maheta ★

  • 2024

    • Kishan Shah ★
    • Aashutosh Devkota ★★