Bug Hunt

The VUB takes the protection of data and privacy seriously. Your input and feedback on potential security issues would be appreciated.

We ask that if you during the normal use of the VUB infrastructure and/or programs detect a security issue, you do not make this public without explicit permission of the VUB CIO or CISO. You can report potential security problems via Service Now or via helpdesk@vub.be.

Please provide following information:

  • Steps to reproduce the problem;
  • If relevant, a screenshot of the resulting error;
  • If known, the cause of the problem;
  • Your name, if desired, as you would like to see it added to the ‘contributors to VUB Security’;
  • Preferred method to contact you;

Each reported security problem will be reviewed for validity and potential impact, and assigned a priority.

The VUB services will investigate every reported security problem on validity and potential impact, and assign a priority to it.

The VUB has a Bug Hunt Program. This is open only for VUB-students and is aiming to improve the security of VUB applications by testing security in a responsible manner. By participating in this Bug Hunt Program, you agree to the following rules:

  • Do not try to gain access to personal or other data, or to change the data (destruction or disclosure of data is a felony!);
  • Do not disclose vulnerabilities before they are fully resolved;
  • Do not perform tests which may disrupt the normal functioning of the application;
  • Do not use automated tools;
  • Vulnerabilities must be reported immediately via the above procedure.

This program is limited to VUB applications on VUB infrastructure.

Contributors to the VUB security

  • 24-jan-2017 – Student (name known) – Pointcaré vulnerability
  • 16-jan-2017 – Student (name known) – Server ‘mini’ (FTP-toegang) vulnerability
  • 16-jan-2017 – Student (name known) – Pointcaré vulnerability

For security reasons no details about the reported vulnerability are provided. ‘Student (name known)’ indicates that the student has not given an explicit consent to mention his/her name.