1. Disclosing or discussing a Security Vulnerability with anyone other than the Duke information security offices can put Duke systems, networks data and the entire Duke community at risk. Accordingly, to ensure appropriate response and handling of Security Vulnerabilities, any and all reports or other information regarding such vulnerabilities should be immediately reported as follows:
To report Security Vulnerabilities within Duke Health systems or networks and related matters, see the Duke Medicine Secure Systems Usage Memo.
To report Security Vulnerabilities within Duke University systems or networks:
- Contact the Duke IT Security Office via encrypted email at firstname.lastname@example.org using our PGP key (available at http://security.duke.edu/itso-pgp-key). Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability, if available.
- If you are unfamiliar with PGP and encrypting email, then please email email@example.com and
- DO NOT include details of the security vulnerability in the correspondence;
- Provide your contact information (email address or phone number).
2. Any person who wishes to scan for or find Security Vulnerabilities within a Duke system or network must first obtain written permission from the system and network owners. Advance notification gives system and network owners an opportunity to either deny permission or prepare for any unintended consequences of the security testing or investigation (e.g., unexpected load or non-routine calls being made to the system). Prior to attempting to actively scan for Security Vulnerabilities within any Duke system or network:
- Contact the Duke IT Security Office (via email to firstname.lastname@example.org) to initiate the process and identify and facilitate necessary communication with other Duke IT, privacy and security personnel, as well as all affected system and network owner(s).
- Obtain permission in writing (email is ok) from the system and network owners, and share that information with the IT Security Office. The system and network owners will have individual discretion in determining whether or not to grant permission. This step is not necessary if an owner is attempting to identify security vulnerabilities in his or her own systems or networks.
Please do not make any findings (or related research or other documentation) public or share them with anyone until Duke has had a chance to investigate and remediate the reported issues.
3. The applicable security office[s] will acknowledge receipt of any report or other information provided or generated through the procedures above as quickly as possible (ideally within 1 business day), and will provide additional details regarding the outcome if and when appropriate. The security offices will in any event promptly work with the reporting party, the potentially affected system or application owner(s) and relevant institutional and departmental officers to fully investigate the matter and promptly resolve any verified security issues.
4. If mutually agreed by the Duke security offices, the system or application owner/administrator and the reporting Duke personnel, the Duke security office may also appropriately recognize the Duke personnel for responsibly disclosing the Security Vulnerability and any additional assistance they provide.
Review Frequency: Annually