Vulnerability Disclosure Policy
Classroom Pulse takes security seriously. We appreciate the security research community's efforts in helping keep our users safe. This policy outlines how to report vulnerabilities and what you can expect from us.
Responsible Disclosure Guidelines
We encourage responsible disclosure of security vulnerabilities. To be eligible for recognition, please follow these guidelines:
- Report vulnerabilities privately to our security team
- Provide sufficient detail to reproduce the issue
- Allow reasonable time for us to address the vulnerability before public disclosure
- Do not access, modify, or delete user data
- Do not perform actions that could harm our services or users
- Do not conduct physical security attacks or social engineering
How to Report
Primary Contact
Email: security@classroompulse.io
PGP Key: Available upon request
What to Include
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Affected components (URLs, endpoints, or features)
- Step-by-step reproduction instructions
- Proof of concept (screenshots, videos, or code)
- Impact assessment (what data or functionality is at risk)
- Your contact information (for follow-up questions)
In Scope
The following are within scope for vulnerability reports:
- Classroom Pulse web application (*.classroompulse.io)
- API endpoints (/api/*)
- Authentication and authorization mechanisms
- Data validation and sanitization
- Session management
- Cryptographic implementations
- Third-party integrations affecting security
Out of Scope
The following are outside the scope and should not be tested:
- Denial of Service (DoS) attacks
- Physical security attacks
- Social engineering or phishing
- Attacks on our employees or users
- Third-party services not under our control
- Issues already known or previously reported
- Theoretical vulnerabilities without proof of concept
- Automated scanning without manual verification
Severity Classification
| Severity | Description |
|---|---|
| Critical | Remote code execution, data breach, authentication bypass |
| High | Privilege escalation, sensitive data exposure |
| Medium | Cross-site scripting, CSRF, limited data access |
| Low | Information disclosure, minor security misconfigurations |
Our Commitment
When you report a vulnerability to us, we commit to:
- Acknowledge receipt promptly
- Provide updates on our progress
- Work with you to understand and validate the issue
- Address the vulnerability as quickly as possible
- Notify you when the issue is resolved
- Recognize your contribution (with your permission)
Recognition
We appreciate the efforts of security researchers. With your permission, we will:
- Add your name to our Security Hall of Fame
- Provide a letter of appreciation
- Consider rewards for significant vulnerabilities (case-by-case basis)
- Provide references for your security research work
Legal Safe Harbor
When conducting vulnerability research according to this policy, we consider this to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
- Exempt from the Digital Millennium Copyright Act (DMCA)
- Lawful, helpful to the overall security of the Internet
We will not pursue legal action against researchers who:
- Follow this vulnerability disclosure policy
- Report vulnerabilities in good faith
- Avoid privacy violations or harm to users
- Do not exploit vulnerabilities beyond validation
Contact Information
Security Team Email: security@classroompulse.io
PGP Fingerprint: Available upon request
Note: For general support issues not related to security vulnerabilities, please contact support@classroompulse.io
This vulnerability disclosure policy is subject to change. Thank you for helping us keep Classroom Pulse secure for all users.