Cybersecurity, Vulnerability Disclosure
Introduction
University of Illinois IT Professionals have a responsibility to provide guidance on how to responsibly disclose Cybersecurity Vulnerabilities.
The typical approach is serving /.well-known/security.txt
on web servers and adding SECURITY.md
to public code repositories. See below for details.
When a user responsibly discloses a vulnerability through this process, the University Cybersecurity team will work with your team and the responsible disclosers toward a solution.
For Web Servers
All University of Illinois web servers should serve a file named /.well-known/security.txt
that describes how to responsibly disclose security vulnerabilities.
See security.txt - a proposed standard for defining security policies for details.
Example /.well-known/security.txt
:
Contact: mailto:securitysupport@illinois.edu Policy: https://go.illinois.edu/vulnerability
Expires: 2025-07-31T17:00:00.000Z
For Public Code Repositories
All public University of Illinois code repositories should include a file named SECURITY.md
in the project root on the main branch that describes how to responsibly disclose security vulnerabilities.
# Security Policy
## Supported Versions
Patches for [ **PROJECT NAME** ] will only be applied to the latest version.
## Reporting a Bug or Vulnerability
Vulnerabilities can be responsibly disclosed through the process
documented at https://go.illinois.edu/vulnerability
Bugs can be reported via repository issues.
References