This responsible disclosure policy applies to any vulnerabilities you are considering reporting to Learnerbly. We recommend reading this policy fully before you report a vulnerability and always acting in compliance with it.
Please report any vulnerabilities to us using our vulnerability disclosure form.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.
Keeping our customer’s data secure is a key priority for us. If you believe you have discovered a security vulnerability, please do not share it publicly.
Instead, please report it to us using our vulnerability disclosure form.
Rules for you
- Do not break any applicable law or regulations.
- Avoid data deletion, unauthorised data access, and service disruption while testing the vulnerability you have found.
- Do not access or modify, or attempt to access or modify, data that does not belong to you.
- Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
- Do not run any automated tools against our servers without prior coordination.
- Do not try to abuse our servers’ resources.
- Do not publicly share the vulnerability details until we confirm that it’s fixed.
- Do not attempt to blackmail us, or try to sell us your security report.
- Do not demand financial compensation in order to disclose any vulnerabilities.
- Securely delete all data retrieved during your research as soon as it is no longerrequired or within one month of the vulnerability being resolved, whichever occurs first(or as otherwise required by data protection law).
Rules for us
- We will reply to all correctly submitted reports, and we will work with you on fixing the issue.
- We will perform our own risk assessment for every reported vulnerability.
- If your report is not eligible, we will let you know the reason why.
- We will let you decide whether you want to be publicly acknowledged for your report.
Targets
Testing is only authorised on the targets listed as in-scope. Any domain or property of Learnerbly not listed below is out of scope. This includes any and all subdomains not listed below.
In-scope:
app.learnerbly.com– The web interface for the Learnerbly service.api.app.learnerbly.com– The API interface for the Learnerbly service.www.learnerbly.com– The content website for Learnerbly.
Out of scope
The following items are deemed out of scope, and reports made against these items will not be reviewed.
- Known vulnerabilities in third-party libraries and software used by Learnerbly (unless you can prove exploitability).
- Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.
- XSS on any domain other than those listed in the Targets section.
- Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections).
- Bugs or functionality that proves that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.
- Missing security headers (unless you can prove exploitability).
Bounty
We do not offer monetary rewards for vulnerability disclosures. Please report any vulnerabilities to us using our vulnerability disclosure form.
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Learnerbly or partner organisations to be in breach of any legal obligations.
