Responsible Disclosure Policy and Guidance

Version 1.0

Author


Duke University IT Security Office and Duke Health Information Security Office
 
 

Authority


Duke University Chief Information Security Officer
Duke Health Chief Information Security Officer
 
 

Background


To protect its electronic systems, networks and data, Duke University and Duke University Health System (collectively, Duke) maintain various policies and processes, administered by OIT, DHTS and institutional and departmental IT, security and privacy offices, for the discovery, investigation and resolution of suspected or actual security incidents and other system, network  or data vulnerabilities within our systems and networks (“Security Vulnerabilities”).
 
Duke recognizes that faculty, staff, students outside of OIT, DHTS and institutional and departmental IT, security or privacy offices may encounter Security Vulnerabilities when using Duke systems or networks.
 
As a part of Duke’s overall security and privacy efforts, this Responsible Disclosure policy and guidance acknowledges and makes available, with limitations, certain protections to those Duke faculty, staff, students, and others referenced in the scope section below, who, in good faith, report suspected security vulnerabilities encountered in their ordinary use of Duke systems and networks to the Duke IT Security Office (ITSO) or Information Security Office (ISO) (collectively, ITSO/ISO). This Policy also contains the procedures for the appropriate discovery, reporting, investigation and resolution of Security Vulnerabilities..
 
 

Policy


If a Security Vulnerability has been identified within a Duke system or network, we ask the individual identifying the Security Vulnerability to immediately disclose the Security Vulnerability to the ITSO/ISO. Consistent with Duke’s non-retaliation and non-retribution policy, Duke will not take disciplinary action against Duke faculty, staff, students or others referenced in the Scope section below, in connection with their discovery and immediate reporting to the ITSO/ISO (in good faith and in compliance with this policy and associated procedures) of any suspected Security Vulnerabilities encountered when using Duke systems or networks. However, neither this nor any other Duke policy will protect any persons (including those reporting under this or any other policy) from any intentional violation or attempted violation of applicable law, including laws and regulations protecting computers or other electronic devices, systems, networks or users, intellectual property (including patent applications) or personal data or other sensitive information.
 

Procedures


1.    Disclosing or discussing a Security Vulnerability with anyone other than the Duke information security offices can put Duke systems, networks data and the entire Duke community at risk.  Accordingly, to ensure appropriate response and handling of Security Vulnerabilities, any and all reports or other information regarding such vulnerabilities should be immediately reported as follows:

To report Security Vulnerabilities within Duke Health systems or networks and related matters, see the Duke Medicine Secure Systems Usage Memo.

To report Security Vulnerabilities within Duke University systems or networks:

  • Contact the Duke IT Security Office via encrypted email at security@duke.edu using our PGP key (available at http://security.duke.edu/itso-pgp-key).  Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability, if available.  
  • If you are unfamiliar with PGP and encrypting email, then please email security@duke.edu and
    • DO NOT include details of the security vulnerability in the correspondence;
    • Provide your contact information (email address or phone number).

2.  Any person who wishes to scan for or find Security Vulnerabilities within a Duke system or network must first obtain written permission from the system and network owners.  Advance notification gives system and network owners an opportunity to either deny permission or prepare for any unintended consequences of the security testing or investigation (e.g., unexpected load or non-routine calls being made to the system). Prior to attempting to actively scan for Security Vulnerabilities within any Duke system or network:

  • Contact the Duke IT Security Office (via email to security@duke.edu) to initiate the process and identify and facilitate necessary communication with other Duke IT, privacy and security personnel, as well as all affected system and network owner(s).
  • Obtain permission in writing (email is ok) from the system and network owners, and share that information with the IT Security Office. The system and network owners will have individual discretion in determining whether or not to grant permission.  This step is not necessary if an owner is attempting to identify security vulnerabilities in his or her own systems or networks.

Please do not make any findings (or related research or other documentation) public or share them with anyone until Duke has had a chance to investigate and remediate the reported issues.

3.    The applicable security office[s] will acknowledge receipt of any report or other information provided or generated through the procedures above as quickly as possible (ideally within 1 business day), and will provide additional details regarding the outcome if and when appropriate. The security offices will in any event promptly work with the reporting party, the potentially affected system or application owner(s) and relevant institutional and departmental officers to fully investigate the matter and promptly resolve any verified security issues.  

4.      If mutually agreed by the Duke security offices, the system or application owner/administrator and the reporting Duke personnel, the Duke security office may also appropriately recognize the Duke personnel for responsibly disclosing the Security Vulnerability and any additional assistance they provide.

 

Scope


All faculty, staff, students, affiliates, contractors, consultants, vendors, or other Duke system and network users are covered by this policy.
 
 

Review Frequency: Annually

 

Document Type: 
Policy
Applicable To: 
Duke Health
Duke University