Vulnerability Disclosure Program

About This Program

The Vulnerability Disclosure Program (VDP) is an experimental program aiming to improve UC Berkeley's online security through responsible testing and submission of previously unknown vulnerabilities. The VDP creates clear guidelines for eligible participants to conduct cyber security research on UC Berkeley systems and applications.

On this Page:

Program Eligibility | Program Rules & Restrictions | Eligible Findings | Testing Rules & Restrictions | Ineligible Findings | Reporting Process | Response to Reports

People icon

Program Eligibility:

The VDP is only open to current UC Berkeley students, faculty, staff, and researchers.

Members of the public may not participate and are not authorized to scan our network for vulnerabilities. However, we recognize that users may encounter security vulnerabilities when accessing UC Berkeley systems, resources, and networks. Therefore, members of the public are invited to report any vulnerabilities they encounter. Members of the public are not eligible for attribution. 

Rules and Restrictions

Program Rules and Restrictions:

  • Prior Permission to Test Required: Participants must first obtain permission from the system owner prior to engaging in any testing or investigation. System Owners have the right to deny or revoke permission at any time and for any reason. 

  • All vulnerabilities must be reported through UC Berkeley’s Vulnerability Report Form linked on this page. Additional information on reporting is provided below.

  • Do not exploit vulnerabilities, e.g. by downloading/accessing more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability. If you encounter any High Risk data during testing, such as Personally Identifiable Information (PII), Protected Health Information (PHI), credit card data, or other confidential information, cease testing and submit a report immediately.

  • Compliance with all applicable laws and UC Berkeley policies is mandatory, including: UC’s Statement of Ethical Values and Standards of Ethical Conduct, UC Berkeley’s Campus Code of Student Conduct, the UC Electronic Communications Policy, Campus Online Activities Policy, Computer Use Policy, Guidelines on Administering Appropriate Use of Campus Computing and Network Services, and the U.S. Computer Fraud and Abuse Act

  • Any unauthorized activity outside the terms of this program may be subject to disciplinary and/or legal action pursuant to applicable laws and UC Berkeley policies. If, at any time, you have concerns or are uncertain whether your security research is consistent with the terms of this program, stop testing and contact security@berkeley.edu or submit your question via the Vulnerability Report Form linked below.

  • Non-Disclosure Agreement: All information relating to vulnerabilities that you become aware of through the VDP is considered confidential (“Confidential Information”).  You agree to refrain from disclosing Confidential Information publicly or to any third party (outside of the University of California) without prior, written approval from the Information Security Office at UC Berkeley: security@berkeley.edu. You agree to honor any request from the Information Security Office at UC Berkeley to promptly return or destroy all copies of Confidential Information and all notes related to the Confidential Information. 

  • Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.

Eligible icon

Eligible Findings

The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:

  • Remote Code Execution (RCE)

  • SQL injection

  • XML External Entity Injection (XXE)

  • Authorization bypass/escalation

  • Sensitive information leaks

  • Cross-site scripting (XSS)

  • Cross-site request forgery (CSRF)

testing icon

Testing Rules & Restrictions (Permission will Not be Granted)

We do NOT want you to test for or report any of the following and you are not authorized, nor will permission be granted, to conduct the following prohibited testing or actions:

  • Tests that will disrupt services or impair others' ability to use them

  • Use of automated scanners 

    • Note: Approved researchers/testers may, with permission, use approved scanners with approved throttling so as not to disrupt service.

  • Local network-based exploits such as DNS poisoning or ARP spoofing.

  • Physical exploits of our servers or network

  • Attacking physical security or third-party applications, use of social engineering, or orchestrating (distributed) denial of service attacks

  • Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages

  • Knowingly posting, transmitting, uploading, linking to, sending, or storing any malware, viruses, or similar harmful software

ineligible findings

Ineligible Findings

Vulnerabilities reported with the following criteria are not eligible for attribution:

  • Does not pose a substantial or demonstrable security risk

  • Only affects the executing user (self-XSS and similar)

  • Requires the pretense that you already have access to the affected account (or control of the user's browser)

  • Only affects outdated browsers/platforms

  • Clickjacking, open redirects, or lack of security headers

  • UI and UX bugs and spelling mistakes

  • Intentional listing of directory contents for research or publication purposes

Vulnerability Reporting Form

Click here to report a vulnerability

Reporting Process:

Submit vulnerabilities via the Vulnerability Report Form. To qualify for the program, submissions must include details about the vulnerability, proof of concept or steps taken to replicate the vulnerability, and suggestions on a resolution.

DO NOT INCLUDE ANY OF THE FOLLOWING IN YOUR REPORT: 

(Only let us know if these *types* of data are present. We will follow up with you if details are needed.)

     * Personally identifiable information (PII)

     * Credit card holder data

     * Information that could potentially violate the university's policies

Two people with arrow

UC Berkeley’s Response to Reports

In response to reports submitted in accordance with the rules and requirements of the program, UC Berkeley will:

  • Acknowledge the receipt of your report

  • Strive to resolve any confirmed vulnerability within a reasonable timeframe, in alignment with campus security priorities.

  • For participants reporting vulnerabilities within the parameters of this program, at our discretion we will include reporters of confirmed vulnerabilities on our public leaderboard / attribution page if 1) you are the first person to file a report for the vulnerability, and 2) you “opted in” for attribution on your Vulnerability Report Form. Anonymous reports will be listed as “anonymous”.

  • Out-of-scope submissions will be accepted and acted upon in alignment with campus security priorities, but are not eligible for public attribution.