Schoology Vulnerability Disclosure Program

Secure by Default - This is the standard to which Schoology strives to build our platform and ensure a strong foundation of trust for our users.  That's why we consider it extremely important to have external reviews of our systems. We strongly encourage anyone to test the security of our systems and notify us about the findings so that we can address it as quickly as possible.  To get started, here are the guidelines and rules for finding and reporting issues in a responsible way. 

Our Commitment To You:

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules. So, please read and follow them carefully.

How to notify us about a potential vulnerability:

 Send your findings to security <at> schoology <dot> com with the following details:
  •  Vulnerability identification - short summary (150 characters or less)
  • The potential impact of the vulnerability 
  • Steps to reproduce
  • Any additional information that may be important to help us to verify the flaw

 


Disclaimer:

Schoology reserves the right to ask the researcher to provide further clarification or a proof of concept exploit before awarding any bounty. A reported vulnerability must clearly demonstrate the risk to the application or its users in order to receive a bounty.


 Rules:

  • Do not attempt to gain access to another user’s account or data (that is to say that you can do cross-account testing, but only use accounts you own/control).
  • Do not perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not publicly disclose a bug before it has been fixed.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Any questions? We are here to help.  Email us (security <at> schoology <dot> com)

In scope targets

*.schoologytest.com

app.schoology.com

Out of scope targets

Third-party apps like LTI apps

Third-party dependencies

Rewards

Schoology reserves the right to decide if the findings are suitable to be rewarded or not. So this is not a guarantee that we will reward all findings. 

The only channel Schoology uses to pay researchers for their findings is BugCrowd. After sending us your findings, please create an account in Bugcrowd and inform us of your account info. We will get in touch. 

The compensation, when applicable, for the vulnerabilities you found, will be defined following the level of risk it has. This is defined following the standard  Bugcrowd’s Vulnerability Rating Taxonomy.