Schoology Responsible Disclosure Program

Secure by Default - This is the standard to which Schoology strives to build our platform and ensure a strong foundation of trust for our users.  That's why we consider it extremely important to have external reviews of our systems. We strongly encourage anyone to test the security of our systems and notify us about the findings so that we can address it as quickly as possible.  To get started, here are the guidelines and rules for finding and reporting issues in a responsible way. 

Our Commitment To You:

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules. So, please read and follow them carefully.

How to notify us about a potential vulnerability:

 Send your findings to security <at> schoology <dot> com with the following details:
  •  Vulnerability identification - short summary (150 characters or less)
  • The potential impact of the vulnerability 
  • Steps to reproduce
  • Any additional information that may be important to help us to verify the flaw

 

Disclaimer:

Schoology reserves the right to ask the researcher to provide further clarification or a proof of concept exploit before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the application or its users in order to receive a bounty.

 Rules:

  • Do not attempt to gain access to another user’s account or data (that is to say that you can do cross-account testing, but only use accounts you own/control).
  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not publicly disclose a bug before it has been fixed.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Any questions? We are here to help.  Email us (security <at> schoology <dot> com)

In scope targets

*.schoologytest.com

app.schoology.com

Out of scope targets

Third-party apps like LTI apps

Third-party dependencies

Rewards

Powerschool does not provide monetary rewards for submissions sent to the Responsible Disclosure Program but invite the most active researchers to our private programs.