Responsible Disclosure

The security of our IT services is a major concern for us. We are constantly working to protect our services and data in the best possible way. The view from the outside is a great help.

We would be grateful if you, a security researcher, would inform us if you discover a vulnerability.

Please note the following terms and conditions:

Act responsibly: With great power comes great responsibility.
The goal is to show possible attack vectors, not to cause damage. Use a discovered vulnerability for illustrative purposes only.
Never delete or modify data and avoid failures (e.g. DoS).
Treat collected information confidentially.
Provide us with sufficient information about your discovery. Usually a URL or IP address of the affected system with a short description of the vulnerability should be enough.
In any case, the following actions are not covered by Responsible Disclosure:
- Spam & Phishing
- Social Engineering
- DDoS attacks
- Attacks on physical security

With your report of vulnerabilities, you help us a lot. Comply with the above-mentioned terms and conditions and act responsibly. You can contact us anonymously and encrypted by email.

Contact details

Email: disclosure@wu.ac.at

PGP key fingerprint: C74A 7EFF C99C A19B 5CBE 1E13 8CF7 F882 C327 1E69

We thank you for your support in keeping our services and data as secure as possible.

Name	Purpose	Lifetime	Provider
CookieConsent	Saves your consent to using cookies.	30 days	WU
site-popup	Saves if popup was filled or closed.	30 days	WU
BACH_PRXY_ID	To be able to display some WU-specific content, it is necessary that some information must be accessed by back-end WU systems. Required to assign the appropriate answer to a request.	20 years	WU
BACH_PRXY_SN	To be able to display some WU-specific content, it is necessary that some information must be accessed by back-end WU systems. Required to assign the appropriate answer to a request.	session	WU
fe_typo_user	Required for login and access to protected content or for editing the user’s personal profile.	session	WU
be_typo_user	Required for login and editing content in the TYPO3 back end.	session	WU
be_lastLoginProvider	Stores the last method used for logging in to the TYPO3 back end.	90 days	WU
ASP.NET_SessionId	Required for assigning visitors to forms.	session	WU (forms.wu.ac.at)
__RequestVerificationToken	Required to protect forms against attacks.	session	WU (forms.wu.ac.at)
ESRASOFTSID	Required for identifying the logged-in user in the Business Language Center’s course registration system.	session	WU (esrasoft.wu.ac.at)
esraSoftWiData	Required to track the language and language courses selected by the user.	session	WU (esrasoft.wu.ac.at)
esraSimpleSAMLAuthToken	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)
esraSimpleSAML	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)
SimpleSAML	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)

Name	Purpose	Lifetime	Provider
_pk_id	Used by Matomo Analytics to store a few details about the user, such as the unique visitor ID.	30 days	WU (piwik.wu.ac.at)
_pk_ref	Used by Matomo Analytics to store the attribution information, the referrer initially used to visit the website.	6 months	WU (piwik.wu.ac.at)
_pk_ses	Created by Matomo Analytics, short-lived cookies used to temporarily store data for the current visit.	1 hours	WU (piwik.wu.ac.at)