eduMe's Security Vulnerability Disclosure Policy
Last updated: 17 October 2022
This is eduMe’s Security Vulnerability Disclosure Policy.
We recommend reading this disclosure policy fully before you report any vulnerabilities. This helps ensure that you understand the policy and act in compliance with it.
Maintaining the security of our systems and services is a high priority at eduMe.
The security researcher community regularly makes valuable contributions to the security of organisations and the broader Internet. We actively endorse and support working with the research and security practitioner community to improve our own security.
Below we provide more information on specific security practices.
We are committed to:
- investigating and resolving security issues in our platform and services thoroughly
- working in collaboration with the security community
- responding promptly and actively
Please note that this page does not provide any form of indemnity for any actions if they are either in breach of the law or of this policy. It does not provide an indemnity from eduMe or any third party.
Scope
This disclosure policy applies only to vulnerabilities in eduMe products and services under the following conditions:
- ‘In scope’ vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.
- Volumetric vulnerabilities are not in scope - meaning that simply overwhelming a service with a high volume of requests is not in scope.
- Reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with “best practice”, for example missing security headers, are not in scope.
- TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support, are not in scope.
- The policy applies to everyone, including eduMe employees, third party suppliers and general users of eduMe services.
Bug bounty
We do not currently have a bug bounty programme that allows us to reward individuals for findings. Whilst we work towards this capability we highly encourage researchers to disclose findings that have potential to impact eduMe and our customers, for us to take the necessary actions. We will, however, make efforts to show our appreciation to security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy wherever we can.
Guidance
Security researchers must NOT:
- Use high-intensity invasive or destructive technical security scanning tools to find vulnerabilities.
- Execute or attempt to execute “denial of service” or “resource exhaustion” attacks.
- Violate the privacy of eduMe users, employees, contractors, services or systems. For example, by sharing, redistributing and/or not properly securing data retrieved from our systems or services.
- Communicate any vulnerabilities or associated details using methods not described in this policy.
- Disrupt eduMe’s services or systems.
- Engage in physical testing of facilities or resources
- Engage in social engineering or physically attack eduMe staff or services.
- Send unsolicited electronic mail to Proton users, including “phishing” messages.
- Require financial compensation in order to disclose any vulnerabilities outside of a declared bug bounty reward structure (such as holding an organisation to ransom).
- Introduce malicious software in the systems of eduMe or any third party
- Perform tests that could degrade the operation of eduMe systems or intentionally impair, disrupt, or disable SEC systems
- Test third-party applications, websites, or services that integrate with or link to or from eduMe systems
- Delete, alter, share, retain, or destroy eduMe data, or render eduMe data inaccessible
- Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on eduMe systems, or “pivot” to other eduMe systems
Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause eduMe be in breach of any of its legal obligations, including but not limited to:
- The Computer Misuse Act (1990)
- The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
- The Copyright, Designs and Patents Act (1988)
eduMe affirms that it will not seek prosecution of any security researcher who reports any security vulnerability on an eduMe service or system, where the researcher has acted in good faith, in accordance with this disclosure policy and applicable laws.