Office of Information Security and Privacy
Vulnerability Disclosure Policy
Introduction
UMMC is committed to maintaining the security, confidentiality, integrity, and availability of our digital systems, data, and services. We value the contributions of security researchers, ethical hackers, and other external parties who identify potential vulnerabilities in good faith.
If you believe you have discovered a security vulnerability in one of UMMC's publicly-facing systems or services, we welcome your report.
Scope
This policy applies to UMMC's network, web applications, mobile applications, and other publicly-accessible digital services that are owned or operated by UMMC. Unless explicitly stated elsewhere, this policy does not cover third-party systems, services managed by external entities, or applications outside UMMC's direct control.
What We Ask of You (Reporting Guidelines)
To help us assess and remediate vulnerabilities effectively, please include the following in your submission:
A clear and concise title summarizing the issue.
Steps to reproduce the issue, including URLs, relevant user roles, parameters, or payloads.
An explanation of the impact: what an attacker could achieve and the potential effect.
Supporting material (screenshots, video, code snippets) as needed to clarify the finding.
Please do not:
Exploit or delete data, disrupt operations, or access systems you are not authorized to test.
Share or publish the vulnerability before UMMC has had a reasonable opportunity to address it.
How to Report
You may report a potential vulnerability to UMMC by using this form or sending an email to our security team.
If you prefer to use email, please contact security-reports@umc.edu. In your email subject line, please include: “Vulnerability Report – UMMC”.
Acknowledgement & Safe Harbor
We pledge to acknowledge receipt of legitimate reports within a reasonable time and work to validate and remediate issues in a timely fashion. We commit to handling reports in good faith and in coordination with the reporter. UMMC will not pursue legal action against individuals who:
identify vulnerabilities without malicious intent, and
follow this policy's guidelines and act in good faith.
Remediation & Disclosure
Once a vulnerability is verified, UMMC will take appropriate steps to mitigate or remediate the issue. We aim to keep you updated on the status of your report. With your agreement (or when appropriate), we may publish a summary of the resolved issue in a coordinated manner. If the issue affects multiple parties, third-party vendors, or could impact public safety, we may apply a coordinated disclosure timeline aligned with industry best practices.
Out-of-Scope or Excluded Findings
The following types of issues are excluded from this policy and may not be eligible for follow-up:
Known issues already published or previously reported and remediated.
Issues requiring no privileged access, or trivial in nature (for example, expired certificates with no exploit path).
Social engineering, phishing, physical security bypasses, or issues related to non-UMMC operations without UMMC involvement.
UMMC reserves the right to determine eligibility and scope at its sole discretion.
Contact Us
For questions about this policy or about submitting a report, please contact:
Office of Information Security and Privacy
University of Mississippi Medical Center
2500 N State St Ste U215
Jackson, MS 39216-4500
Email: security-reports@umc.edu
Phone: (601) 815-3944