Security & Vulnerability Disclosure Policy

Maintaining the security of our network and the data we hold is important to Cambridge University Press & Assessment. This policy should be followed by external security professionals for testing for and reporting to us vulnerabilities in our websites, platforms, and applications, or if any other security issues are discovered.

1) What you can expect from us

After your report you will receive an acknowledgement reply from our security team with a reference number, this is usually within 24 hours but may be issued up to three working days after your submission.

Cambridge University Press & Assessment’s security team is committed to professionally investigating any issues reported to us from the security community. Reported issues may require further investigation by our support and development teams, and any fixes will be prioritised according to our vulnerability & patching strategy, and incident response procedures where relevant.

2) We ask that you

  • • Only conduct testing according to the scope defined in this policy.
  • • Do not break the law.
  • • Do not target any of our users or customers, violate their privacy, or social engineer, phish or attack our customers or staff whether digitally or physically.
  • • Do not perform tests that could disrupt services provided by Cambridge University Press & Assessment.
  • • Provide reports of potential security issues that meet the below criteria.
  • • Give our teams time to investigate and resolve the issues you have reported – this may include time for us to liaise with third party service providers.
  • • Do not change any data on our systems or services.
  • • Only access the data that is necessary to demonstrate a vulnerability.
  • • Do not disrupt our systems or services by using high-intensity or destructive scanning tools, nor attempt Denial of Service.

3) Scope

This policy applies to security issues found on Cambridge University Press & Assessment systems and services, or data you suspect to have been compromised and may constitute a security incident.

Only conduct vulnerability testing against domains which have a security.txt file in their /.well-known/ directory. Sub-domains are in scope if their parent domain is in scope (i.e. has a security.txt file)

Security issues not to be reported and not included in this scope:

  •  Volumetric vulnerabilities are not in scope. Overwhelming a service with a high volume of requests is prohibited – do not attempt Denial of Service attacks.

  •  Reports of non-exploitable vulnerabilities or that our services are configured in a manner that you believe could be improved e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or sub-optimal email related configuration (SPF, DMARC etc).

  •  TLS configuration weaknesses, for example weak cipher suite support or the presence of TLS 1.0 support are not in scope.

4) Reporting a Vulnerability

If you believe you have found a security issue that meets the scope detailed above, please send your report to us using [email protected]. Initial reports should include a brief description of the type of vulnerability and the system or service this has been found in (e.g. the website address or application name).

Once a report is received, you will receive an acknowledgement reply from our security team with a reference number and a request for further information. Acknowledgements are usually provided within 24 hours but may be issued up to three working days from your submission.

A detailed technical description should then be supplied including:

  • • The website, IP, or specific page where the vulnerability can be seen.
  • • Further information about the vulnerability, including its potential for exploitation and potential consequences if exploited.
  • • Steps to reproduce the vulnerability, including screenshots or screen capture videos.

Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation.

If you suspect you have identified evidence of a live data breach you may also report this to us at [email protected]. You may also contact our Privacy team at [email protected] in these instances.

5) Bug Bounty

Regrettably, we do not have a paid bug bounty program. However, we do extend our gratitude and recognition to security researchers who invest time and effort to investigate and report security vulnerabilities to us and host an acknowledgements page at https://www.cambridge.org/legal/security-and-vulnerability-disclosure-policy/acknowledgement

Cambridge University Press & Assessment are committed to prompt correction of vulnerabilities. We ask that you refrain from sharing or publishing information about any discovered vulnerabilities for 90 calendar days from receipt of acknowledgment of your report. We reserve the right to request further time before you make any published disclosure.

6) Feedback

Feel free to provide us any feedback or suggestions with regards to this policy, contact us via email to [email protected].