Employees and students of UGent, as well as third parties external to UGent, are allowed to actively detect vulnerabilities in the security of UGent's ICT infrastructure, insofar as this is done in accordance with the policy set out in this regard.

Policy

The document "Ghent University coordinated IT vulnerability disclosure policy" contains the policy as approved by the Executive Council on 8 July 2022.

Scope

The following systems and websites are excluded for vulnerability assessment:

• Systems and applications hosted by third-party vendors and/or cloud providers.
• Oasis
• SAP

Actively searching for vulnerabilities in information systems not within the scope of this policy is unauthorised and may lead to sanctions and/or legal prosecution..

When someone tries to detect vulnerabilities, this can always be detected. When analysing such an incident, the security team may block affected accounts or take servers offline. If this takes place outside normal service hours, rapid account reactivation cannot be guaranteed. It is therefore important to consider such actions carefully, especially during critical times such as exam or holliday periods.

Notification procedure

Vulnerabilities can be reported via ICT HelpMe.

When reporting a vulnerability, please confirm that you have read this Coordinated Vulnerability Disclosure Policy and are working in accordance with its provisions. Make sure you can be contacted yourself.

Information you must provide when reporting a vulnerability includes:

• vulnerability type
• configuration details
• actions taken
• tools used
• dates of tests
• proofs
• IP address or URL of the affected system
• screenshot
• contact details
• ...

Please also provide details of any UGent confidential or personal data you may have had access to.

Rewards

There are currently no rewards or bug bounties provided. If you wish, you can get a mention on this website.