Ohio State is in the process of revising websites and program materials to accurately reflect compliance with the law. While this work occurs, language referencing protected class status or other activities prohibited by Ohio Senate Bill 1 may still appear in some places. However, all programs and activities are being administered in compliance with federal and state law.

Vulnerability Disclosure Policy

Overview

CHRR at The Ohio State University is committed to ensuring the security of our computer systems. This policy is intended to provide security researchers with guidelines on permitted activities and how to submit discovered vulnerabilities to us.

Authorization

CHRR authorizes good-faith research on its publicly accessible websites and applications as long as the research complies with this policy.

Requirements

To maintain compliance with this policy, CHRR requires that you:

  • Limit research to systems intended to be publicly accessible.
  • Do not perform denial-of-service (DoS or DDoS) testing, physical testing (including but not limited to office access, open doors, and tailgating), social engineering (including but not limited to phishing and vishing), or other non-technical vulnerability testing.
  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems.
  • Once you’ve found a vulnerability or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Disclosure

While it is encouraged to provide contact information, anonymous submissions are also accepted.

Vulnerability disclosure submissions can be submitted to vulnerability-disclosure@chrr.osu.edu. For submissions with contact information, CHRR will respond within five business days and discuss next steps, including a public disclosure timeline. We ask that you provide us a reasonable amount of time to resolve the vulnerability before you disclose it publicly. We will communicate steps we are taking during the remediation process.

Back to Software Download