Responsible Disclosure Policy
1. Introduction
OpenEduCat takes security seriously. We appreciate the security research community's efforts in identifying vulnerabilities responsibly. This policy outlines how to report security issues and what to expect from us.
2. Scope
This policy applies to security vulnerabilities in: OpenEduCat software (Community and Enterprise editions), OpenEduCat Cloud services, OpenEduCat websites and APIs, and OpenEduCat mobile applications. Third-party integrations and services are out of scope.
3. How to Report
Report vulnerabilities to security@openeducat.org. Include: detailed description of the vulnerability, steps to reproduce, potential impact assessment, your contact information, and any proof-of-concept code (if applicable). Use PGP encryption for sensitive reports.
4. Researcher Guidelines
Please: act in good faith, do not access or modify data that does not belong to you, do not disrupt services or degrade user experience, do not disclose vulnerabilities publicly before resolution, and comply with all applicable laws. Automated scanning tools should be rate-limited.
5. Our Commitment
We will: acknowledge receipt within 48 hours, provide regular updates on remediation progress, notify you when the issue is resolved, credit researchers in security advisories (if desired), and not pursue legal action against researchers acting in good faith.
6. Disclosure Timeline
We aim to resolve critical vulnerabilities within 7 days, high severity within 30 days, and medium/low severity within 90 days. We request that researchers allow us reasonable time to address issues before public disclosure.
7. Recognition
We recognize researchers who report valid vulnerabilities through: public acknowledgment (with permission), inclusion in our security hall of fame, and potential bounty rewards for critical findings (at our discretion). We do not currently operate a formal bug bounty program.
Questions about this policy?
info@openeducat.org