Office of Information Technology

We are committed to maintaining a safe and secure environment for our users and the broader community. As part of our ongoing efforts to protect against potential threats, we encourage the responsible disclosure of security vulnerabilities in our products, services, and systems.

If you discover a vulnerability, we ask that you please follow the guidelines below to report it:

1. Report Responsibly: Please submit your findings privately, ensuring that the details are not shared publicly until we have had an opportunity to review and address the issue.
2. Provide Detailed Information: Include a clear and concise description of the vulnerability, steps to reproduce it, and any other relevant information that can assist our Security team in verifying and addressing the issue.
3. No Exploitation: We ask that you refrain from exploiting the vulnerability or accessing any data you are not authorized to view. The goal is to make the system safer for everyone, not cause harm.
4. Respect Privacy: If the vulnerability involves sensitive data, please do not access or disclose that data without authorization.

Our Commitment:

• We will acknowledge the receipt of your report as soon as possible.
• We will work to resolve the vulnerability promptly and keep you informed on the status.
• We aim to issue fixes and security updates as quickly as possible.
• When appropriate, we will publicly disclose the vulnerability and credit you for your contribution to making our systems more secure.

Thank you for helping us improve the security of our systems and protecting our community. Your efforts are vital in keeping everyone safe.

Please submit your report at https://cyber.tamus.edu/vuln-report/.

Texas A&M University System Cyber Operations serves as the central point of contact for public reporting of vulnerabilities in organizational systems and system components. Upon receiving a report from a public source, Cyber Operations will validate the report, determine the scope of impact across system members, implement global countermeasures to mitigate the immediate impact of the reported vulnerabilities across all affected members, and coordinate with information resource custodians to remediate the reported vulnerabilities for specific affected information systems.

Exclusions

The information resource owner or designee (e.g., custodian, user) is responsible for implementing the Security Control Catalog protection measures. Based on risk management considerations and business functions, the resource owner may request to exclude certain protection measures provided in a Control. All exclusions must be in accordance with the procedures highlighted in the Information Security Controls Exclusion Process.

Information Security Services
Office of Information Technology