Please contact it@yorksu.org as soon as possible to report the vulnerability. If this is a vulnerability that can be actively exploited please do not create a GitHub issue on any public repo.

When reporting a vulnerability to us, please include:

• the website, page or repository where the vulnerability can be observed
• a brief description of the vulnerability
• details of the steps we need to take to reproduce the vulnerability
• non-destructive exploitation details

If you can, please also include:

• the type of vulnerability, for example, the OWASP category
• screenshots or logs showing the exploitation of the vulnerability

If you receive no reply within 3 working days, please create an issue for the community to respond.

When you are investigating and reporting the vulnerability in one of York SU's open source repositories, or a website on the York SU domain or subdomain, you must not:

• break the law
• access unnecessary or excessive amounts of data
• modify data
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• try a denial of service - for example overwhelming a service on yorksu.org with a high volume of requests to disrupt yorksu.org services or systems
• tell other people about the vulnerability you have found until we have disclosed it
• social engineer, phish or physically attack our staff or infrastructure
• demand money to disclose a vulnerability