The document discusses responsible disclosure in higher education. It surveys policies at universities regarding cyber issues and outlines additional approaches used in industry, like bug bounties. There were complications in directly applying industrial practices to universities. Outcomes of consulting key stakeholders included utilizing interested student groups to test low-risk systems during off-hours. Current work involves selecting initial systems for students to penetration test, with the goal of establishing a formal responsible disclosure policy.

1. Responsible disclosure in
Higher Education
Giles Howard

2. Surveying Higher Education for good responsible disclosure practice
» Public-facing policies indicating a commitment or understanding of cyber
issues and the risk that they represent
» Dedicated email addresses representing a route to report cyber issues
» A brief survey of acceptable use policies or disciplinary policies to indicate the
penalties for unauthorised access to systems
» Any whistleblowing policies that might extend to students or
cyber issues specifically
» Any mention of leveraging students as assets for ‘white-hat’ hacking or any
process by which systems may be tested involving students
A holistic, qualitative approach – we were looking around other
Higher Education providers for:
23/03/2016 Responsible disclosure in Higher Education

3. Additional work (undertaken simultaneously)
» Bug bounties
» Whitelists of systems that can be attacked
» Leaderboards
» Guarantee of safe disclosure if flaws are reported using a defined
procedure instead of being simply publically disclosed
» Assurances that flaws reported via the defined process will be afforded
high priority
» Test accounts for performing exploitation testing without damaging
own/other accounts
Surveying industrial practice in responsible disclosure:
23/03/2016 Responsible disclosure in Higher Education

4. Complications
» Professional services (student services, finance, HR, etc.) could not risk
interruptions to core business due to unregulated attempts to exploit their systems
» Concerns from multiple stakeholders as to which students/staff this was going to
apply to and in particular, how the students would be vetted
» Further concerns that this may need doing at a much higher level (i.e. an
institutional policy of responsible disclosure of a variety of situations, not purely
cyber security ones)
» Not all University systems are directly managed by the IT service – reporting
out to vendors and manufacturers might take substantial time before
fixes are available
Consulting with key stakeholders within our institution resulted
in the following issues being highlighted:
23/03/2016 Responsible disclosure in Higher Education

5. Primary outcomes
» Utilising either the student-run cyber security society or a self-selected population
of interested students to exploit systems with some further constraints
» Usage of ‘at-risk’ periods (as are used for schedule maintenance/system upgrades
at present) outside of core business hours which would allow the systems to be
tested with little-to-no risk to business processes
» Coordination with the Chief Information Officer and others to determine systems
which both had value in being tested as well as not representing a substantial risk
in letting students make attempts to exploit them
Initial groundwork for a localised responsible disclosure process:
23/03/2016 Responsible disclosure in Higher Education

6. Current work
» HEA-funded project led by Federica Paci (F.M.Paci@soton.ac.uk) at University of
Southampton under the title of “Enhancing campus cyber security through
constructivist student learning”
» Work is beginning on selecting systems for the first round of penetration testing by a
group of interested students
» There is no official policy on responsible disclosure (yet!) but multiple parties are
working together on this initial activity to hopefully iron out a more structured and
policy-backed process for doing this in future
23/03/2016 Responsible disclosure in Higher Education

7. 23/03/2016 Responsible disclosure in Higher Education
Questions?

8. Thank you
23/03/2016 Responsible disclosure in Higher Education
Giles Howard
University of Southampton
giles.howard@soton.ac.uk