The University of Nebraska is committed to ensuring that all academic, research, and service activities are carried out in the safest way, guaranteeing the confidentiality, integrity and availability of the information. The University of Nebraska Vulnerability Disclosure program is an experimental program aiming to improve UN's online security, intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. Here you will find information about what systems and types of research are covered, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.
The primary source for this document is the Department of Homeland Security's Vulnerability Disclosure Policy Template.
Authorization
If you make a good faith effort to comply with this document during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and University of Nebraska will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this document, we will make this authorization known.
Guidelines
In this program "research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Test methods
The following activities are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
- Any activity related to university medical data or services is prohibited and could result in disciplinary/legal actions.
- Local network-based exploits such as DNS poisoning or ARP spoofing
- Social engineering
Scope
This program is limited to systems and services using University of Nebraska System domains:
- *.nebraska.edu
- *.unk.edu
- *.unl.edu
- *.unomaha.edu
Vendor-hosted platforms that use a University domain (for example, jobs boards, event management systems, SaaS portals) are managed by external providers and therefore fall outside the scope of this program, unless a University-specific misconfiguration is demonstrated.
For full details, see the complete "Scope" section.
Reporting a vulnerability
- We accept vulnerability reports via emails to ITS-Security <its-sec@nebraska.edu>.
- Reports may be submitted anonymously.
- If you share contact information, we will acknowledge receipt of your report within 3 business days.
- We do not support PGP-encrypted emails.
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location where the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What you can expect from us
- When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- Within 10 business days after acknowledge the report we will proceed to update our Hall of Fame
- We will maintain an open dialogue to discuss issues.
Rewards & Recognition
While we currently do not offer monetary rewards, we are pleased to recognize your efforts by featuring your name in our Hall of Fame, commemorating your contribution to our organization's security efforts, and granting digital badges as a reward for the perseverance and quality of the reports.
Each vulnerability will receive a score based on its severity and impact:
| Criticallity | Score |
|
Info |
25 |
|
Low |
100 |
|
Medium |
250 |
|
High |
500 |
|
Critical |
1000 |
Vulnerability reports that are not eligible because they are out-of-scope or were already reported, will be classified as “Info” and eligible for public acknowledgment if they represent a high-quality security research submission.
We align with Bugcrowd Vulnerability Rating Taxonomy as a reference for classification and severity.
The points are cumulative and will be used to determine the level of recognition in the Hall of Fame and granting digital badges based on the following levels:
| Rank | Score | Recognition |
|
Initiate |
25+ |
Hall of Fame |
|
Explorer |
100+ |
Explorer Digital Badge |
|
Adventurer |
2,500+ |
Adventurer Digital Badge |
|
Vanguard |
5,000+ |
Vanguard Digital Badge |
|
Champion |
10,000+ |
Champion Digital Badge |
|
Hero |
15,000+ |
Hero Digital Badge |
|
Legend |
20,000+ |
Legend Digital Badge, Printed Certificate, & NU Security Challenge Coin |
Targets of the Month (Bonus Points Campaigns)
How it works?
Monthly list:
We publish the month’s highlighted, in-scope targets here by the 1st of each month.
- Same rules, extra credit: Your standard VDP scope, testing rules, and reporting process remain in effect (no DoS, no service degradation, etc.).
- Time window: From 12:00 a.m. Central Time on the 1st to 11:59 p.m. Central Time on the last day of the month.
- Duplicates: Standard duplicate rules apply (duplicates don’t earn points).
Campaign bonuses:
- Campaign multiplier: 2X the normal points for any valid report on a listed target during the campaign window.
- Early-bird multiplier (days 1–7): 2.5X the normal points if your valid campaign report arrives in the first 7 calendar days.
Examples:
- Critical (1000) → 2000 (2X) or 2500 (2.5X)
- High (500) → 1000 (2X) or 1250 (2.5X)
- Medium (250) → 500 (2X) or 625 (2.5X)
- Low (100) → 200 (2X) or 250 (2.5X)
- Info (25) → 50 (2X) or 65 (2.5X, rounded up to the nearest 5)
Rounding rule: If a multiplier yields a non-integer ending (e.g., 62.5), we round up to the nearest 5 to keep scoring simple and transparent.
Guardrails:
- Scope & Safe Harbor: Follow the program’s in-scope/out-of-scope lists and authorized test methods. No DoS, stress testing, or actions that degrade availability.
- Quality: Provide clear repro steps and impact analysis; low-quality/scan-only submissions may be classified as Info and not eligible for bonuses.
Questions
Questions regarding this policy may be sent to its-sec@nebraska.edu. We also invite you to contact us with suggestions for improving this policy.
Last update: 10/09/2025