Humboldt-Universität zu Berlin - English

Report Security Vulnerabilities

Security vulnerabilities in IT systems are widespread, and processes for addressing them should be equally established. The first step in this process is always awareness, which is why we welcome reports of security vulnerabilities in the IT systems of Humboldt-Universität zu Berlin.

As a university, we regret that we are unable to offer rewards for identifying and reporting security vulnerabilities. However, you can expect our sincere appreciation and our commitment to helping prevent or minimize potential harm to members of the university community.

In particular, universities often have a decentralized organizational structure, with central and decentralized units reflected in their IT systems. Therefore, it is especially important to note that the information provided in the security.txt file may vary by department or unit. For faster and more targeted reporting, please check whether a more specific security.txt file exists for the relevant IT system (e.g., for a subdomain).

Tips for Reporting

Send an email to the email address specified in the security.txt file. The general address is: vulnerability@hu-berlin.de (encryption via S/MIME is possible using this certificate). Emails sent to this address are processed through an electronic ticketing system. Please also note our data protection policy.

• Describe as precisely as possible where the vulnerability was discovered. Please provide the associated URL, IP address, or any other relevant coordinates.
• Describe in detail what happens when the vulnerability is triggered.
• Provide a step-by-step explanation of how the behavior can be reproduced.
• In some cases, it may also be helpful to explain why this constitutes a problem or what could happen in the worst-case scenario. (Note: We are fully aware of issues such as XSS and why they are dangerous. However, in some cases the situation may be less clear, and your assessment will greatly assist us in evaluating the matter.)

It would be helpful if you could provide us with a contact address (preferably with encryption capability) to which we may direct follow-up questions. Anonymous reports are also taken seriously, although processing may be limited in such cases.

We expect you to adhere to responsible practices in your investigations, both in the past and moving forward.

• Do not misuse the identified vulnerability. That is, do not cause damage beyond what is reported,
• do not carry out attacks (such as social engineering, spam, [distributed] DoS, or "brute force" attacks, etc.) against our IT systems,
• do not manipulate, compromise, or alter systems or data of third parties,
• do not submit results from automated tools or scans without explanatory documentation,
• do not report unspecific, generally known information (e.g., "Windows currently has issue XY, and Windows is certainly used somewhere at the university"),  
  and,
• if you are possibly affiliated with the university, also take into account the applicable regulations governing you, such as the Statute on IT Organization, AMB 46/2020, and the CMS Usage Regulations (BenO).