Report a Vulnerability

Policy​

The Texas A&M University System ("system") accepts disclosure of vulnerabilities to system information resources that are discovered through good-faith research by the public. The system does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

Disclosure and Remediation Timeline​

Time frames for mitigation development and the type and schedule of disclosure may be affected by various factors. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to established standards may result in changes to the disclosure timeline. Other factors include, but are not limited to:

• whether the vulnerability has already been publicly disclosed, i.e. published by a researcher;
• potential impact to critical infrastructure, national security, or public health and safety;
• the availability of effective mitigations;
• vendor responsiveness and feasibility of developing an update or patch;
• vendor estimate of time required for customers to obtain, test and apply the patch.

The name and contact information of the vulnerability reporter will be provided to the affected vendors unless otherwise requested by the vulnerability reporter. The system will make good-faith efforts to advise the vulnerability reporter of significant changes in the status of any vulnerability reported, without revealing information provided in confidence by the affected vendor(s) or service provider(s).

Affected vendors will be apprised of any publication plans shared by the vulnerability reporter.

Reporting a Vulnerability​

To report a vulnerability, please submit a vulnerability report. You may also contact TAMUS Cybersecurity directly through the methods available on our contact page.