EMBL’s European Bioinformatics Institute (EMBL-EBI) greatly appreciates investigative work into security vulnerabilities, which is carried out by well-intentioned, ethical security researchers.

We value those who take the time and effort to report security vulnerabilities wherever they may be found in our applications or infrastructure.

Reporting a vulnerability

If you believe you have found a security vulnerability, please submit your report to us using the following email address: csirt@ebi.ac.uk or via openbugbounty.org.

In your report please include the following details:

  • The full URL of the product, service or system
  • A description of the vulnerability
  • Any relevant screenshots
  • The steps needed to reproduce the vulnerability, any proof-of-concept code
  • Any current plans you have to disclose the vulnerability

What EMBL-EBI will do

Since EMBL-EBI is a non-profit organisation, making the world’s public biological data freely available to the scientific community, it is unfortunately not possible for us to reward you financially, but we commit to:

  • Work with you to confirm the vulnerability, the extent to which it affects us, and let you know how long we think the vulnerability will take to fix
  • Notify you when the vulnerability has been fixed
  • Treat your report as confidential, treat your data according to our privacy policy, and not pass your personal data onto any third parties without your permission
  • Thank you by adding your name to our Hall of Fame once we have verified and fixed the vulnerability (only with your permission).

You must not:

  • Break any applicable law or regulations
  • Access unnecessary, excessive or significant amounts of data
  • Modify data in EMBL-EBI’s systems or services
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • Attempt or report any form of denial of service (e.g. overwhelming a service with a high volume of requests)
  • Disrupt EMBL-EBI’s services or systems
  • Socially engineer, ‘phish’ or physically attack EMBL-EBI staff or infrastructure
  • Demand financial compensation in order to disclose any vulnerabilities
  • Share or distribute data retrieved from the systems or services.

You must:

  • Always comply with data protection rules and must not violate the privacy of the EMBL-EBI’s users, staff, contractors, services or systems
  • Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

What to expect

After submitting your vulnerability report, you will receive an acknowledgement reply usually within three working days of your report being received.

The team will triage the reported vulnerability, and respond as soon as possible to let you know whether further information is required, whether the vulnerability is in or out of scope, or is a duplicate report. If remediation work is necessary, it is assigned to the appropriate teams.

Priority for bug fixes or mitigations is assessed by looking at the impact severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status of the process, but should avoid doing so more than once every ten working days. The reason is to allow our teams to focus on the reports as much as possible.

When the reported vulnerability is resolved, or remediation work is scheduled, we will notify you, and invite you to confirm that the solution covers the vulnerability adequately.

Legalities

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause EMBL-EBI, or its partner organisations, to be in breach of any legal obligations.

This policy was last updated on 13 April 2021.

Edit