Introduction 

University of Illinois IT Professionals have a responsibility to provide guidance on how to responsibly disclose Cybersecurity Vulnerabilities.

The typical approach is serving /.well-known/security.txt on web servers and adding SECURITY.md to public code repositories. See below for details.

When a user responsibly discloses a vulnerability through this process, the University Cybersecurity team will work with your team and the responsible disclosers toward a solution.

For Web Servers

All University of Illinois web servers should serve a file named /.well-known/security.txt that describes how to responsibly disclose security vulnerabilities.

See security.txt - a proposed standard for defining security policies for details.

Example /.well-known/security.txt:

Contact: mailto:securitysupport@illinois.edu
Policy: https://go.illinois.edu/vulnerability
Expires: 2025-07-31T17:00:00.000Z

For Public Code Repositories

All public University of Illinois code repositories should include a file named SECURITY.md in the project root on the main branch that describes how to responsibly disclose security vulnerabilities.

# Security Policy

## Supported Versions

Patches for [ **PROJECT NAME** ] will only be applied to the latest version.

## Reporting a Bug or Vulnerability

Vulnerabilities can be responsibly disclosed through the process
 documented at https://go.illinois.edu/vulnerability

Bugs can be reported via repository issues.