IT University of Copenhagen — Vulnerability Disclosure Policy
Last updated: February 2026

ITU prioritize Information Security and we appreciate and welcome responsible disclosure of vulnerabilities on our systems. This policy outlines how to report vulnerabilities to us.

Scope
This policy applies to publicly accessible systems and services operated by ITU, including web applications, APIs, and network services hosted under the itu.dk domain.

How to report
Send your report to it@itu.dk. Please include a clear description of the vulnerability, affected system or URL, steps to reproduce, and your assessment of potential impact. Please include any obtained documentation such as screenshots, logs etc.

Reports in both English and Danish are accepted.

For critical or high-severity findings — such as vulnerabilities that could lead to data breaches, system compromise, or significant service disruption — please contact us at it@itu.dk with a brief, non-technical summary first. We will respond promptly to establish a secure communications channel before sensitive technical details are exchanged.

What to expect from us
We will acknowledge your report as soon as possible and aim to keep you informed as we investigate and remediate the issue. We will let you know when the vulnerability has been resolved.

What we ask of you
Please act in good faith. Do not access, modify, or delete data to demonstrate the vulnerability. Avoid disruption to our services and do not share information with others or go public about the vulnerability, until we have had a reasonable opportunity to address it. Do not conduct social engineering, phishing, or physical attacks against ITU staff, students or infrastructure.

No bug bounty
We do not operate a bug bounty programme and are unable to offer monetary compensation for vulnerability reports. We are nevertheless grateful for responsible disclosures that help us protect our community of students, researchers, and staff.