Skip to content

Security: YUSU-Dev/.github

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

Please contact it@yorksu.org as soon as possible to report the vulnerability. If this is a vulnerability that can be actively exploited please do not create a GitHub issue on any public repo.

When reporting a vulnerability to us, please include:

  • the website, page or repository where the vulnerability can be observed
  • a brief description of the vulnerability
  • details of the steps we need to take to reproduce the vulnerability
  • non-destructive exploitation details

If you can, please also include:

  • the type of vulnerability, for example, the OWASP category
  • screenshots or logs showing the exploitation of the vulnerability

If you receive no reply within 3 working days, please create an issue for the community to respond.

Guidelines for reporting a vulnerability

When you are investigating and reporting the vulnerability in one of York SU's open source repositories, or a website on the York SU domain or subdomain, you must not:

  • break the law
  • access unnecessary or excessive amounts of data
  • modify data
  • use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • try a denial of service - for example overwhelming a service on yorksu.org with a high volume of requests to disrupt yorksu.org services or systems
  • tell other people about the vulnerability you have found until we have disclosed it
  • social engineer, phish or physically attack our staff or infrastructure
  • demand money to disclose a vulnerability

There aren’t any published security advisories