Vulnerability Reporting Policy

Imperial’s IT security team welcome responsible disclosure of any vulnerability in our services. We are committed to verifying and responding to any legitimate reported vulnerability.

Disclosure guidelines

Please provide details of the vulnerability or security issue along with any information needed to reproduce.

Avoid violating the law, privacy, or any destruction, alteration or denial of our services.

Do not modify or access any data that doesn’t belong to you.

Allow us reasonable time to respond and fix the issue. We aim to reply to your initial contact within 2 business days.

Imperial staff and students

Members of the Imperial community are encouraged to report vulnerabilities through the ICT Service Desk. If you have sensitive data, or feel uncomfortable about going through the service desk, please follow the ‘others’ process below.

Please note this reporting policy is not permissionto “hack” or “pen test” Imperial systems but provides a process to report issues legitimately discovered in the course of using our systems and services.

All others

Please send an email to vulnerability@imperial.ac.uk with your name and contact information. We can provide encrypted channels over S/MIME or other mechanisms if required.