Responsible Disclosure

For any further inquiries or clarifications regarding this policy, please contact security@wearelearning.io

This policy is subject to change without notice. Please review it regularly to stay informed of any updates.

Responsible Disclosure

Last updated:

Introduction:

We Are Learning is committed to the security of its customers and the wider community. We recognise the value of the security community and encourage responsible disclosure of vulnerabilities to enhance the overall security of our products and services. This Responsible Disclosure Policy outlines the process for reporting security vulnerabilities and the protections offered to researchers.

Reporting:

  1. Email your findings to security@wearelearning.io. Please provide sufficient information to understand the nature and scope of the vulnerability, including steps to reproduce, if possible.
  2. If possible, encrypt your findings using our PGP key (see below) to prevent this critical information from falling into the wrong hands.
  3. Do not take advantage of the vulnerability or problem you have discovered.
  4. Do not reveal the problem to others until it has been resolved.

Scope:

The scope of this policy covers all We Are Learning digital properties, including our core platform, web applications, and APIs.

Safe Harbour:

  1. Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you.
  2. We consider activities conducted consistent with this policy to constitute “authorised” conduct under the Computer Fraud and Abuse Act.

Response:

  1. We will acknowledge receipt of your vulnerability report within three business days.
  2. Our security team will review your submission and strive to keep you informed about our plans for mitigating the vulnerability you have reported.
  3. We will notify you when the vulnerability has been fixed and may ask for your assistance in re-testing to confirm the fix.

Recognition:

We appreciate the efforts of security researchers in making the digital world safer and will give credit to researchers who responsibly disclose vulnerabilities to us, following this policy. We will offer a mention in our Security Hall of Fame for all those that submit a previously unknown vulnerability that triggers a code or configuration change.

Out of Scope:

Please note! Most reports we receive have little or no security impact or are already known. To avoid a disappointing experience when contacting us, please take a moment and consider if the issue you want to report actually has a realistic attack scenario.

More specifically, we ask you to not submit issues regarding:

  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability.
  • Findings from automated tools without providing a Proof of Concept.
  • Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones.
  • Missing or weak security-related HTTP headers.
  • Non-Sensitive Data Disclosure, for example server version banners.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Self-XSS.
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Host header injection, unless you have confirmed that it can be exploited in a practical attack.
  • Expired SSL certificates, weak SSL Ciphers, or issues regarding old TLS/SSL versions.
  • Previously known vulnerable software or libraries without a working Proof of Concept.
  • Rate limiting or brute-force issues on non-authentication endpoints.
  • Denial of Service.
  • CSV/formula injection.
  • Flash based exploits.
  • Clickjacking.

Our PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGVA1GcBEADJ6V3Zm/VP+4nxMAR85xapGFqkaOfsVqFq1Qkuj4vCGPie0T3p
OkIDUR4KMRba1tPXpHatLP6xvzxZ4P/+x+7xm+ZA9BOQZNm973pcnq9wkc+ZOj02
Vbt6fhHJKe6zJYQBw25Z5tb06AvFFXWvxSQLEK+UHAcspO9ssN7onZDDiJk6l/Yl
jNSsX/3urapjZ5ss+mThsiFruHwRBr38U2eei/M3w+tR43jJ0ZKziiaavxW1pB3c
74gfh5JTjvl1Sh13s8mH3FTYD7dowJ2HYqO2qK3OzHi2s0LCwq/DNtlXuGIngCx1
FbwepoBJ0Iy5yvj1cg3dACNigjKustE+/3AJdfuZfWM0d2qIJvYSb18VhK9+52TV
Ip0Q3SoOQkK92SlA7ZxlNKYbAODii+qfmjqtKCLA2dLN1tInmoHHt7p/G7DawCYq
2R8UizW/W6S0eezNNcQcafULD8Lzo7prwPVJZyQIUUHpRSj2mylwc0ifaXtYV5GQ
kikbAb6aeRBV4UBXjgqK4DNIh6HEW0VB7QN/FZTSXLx1IIWuWNOcRMQk+P5vgnW5
P6dWf0jsfypv8KYSbLZDS0Fcir3p86rJkQGLzo/cZnsISuxg0L0eNDCx7UM0fp0D
XYYOuTuQAjtzgCmFOhWhZbyLn5cdvuvuA5YUaXA8DtddKJmuKZ3NeoywXQARAQAB
tGZTaW1lbiBPZnRlYnJvIFNrdWxiZXJnIChQR1Aga2V5IGZvciByZXNwb25zaWJs
ZSBkaXNjbG9zdXJlIEAgV2UgQXJlIExlYXJuaW5nKSA8c2ltZW5Ad2VhcmVsZWFy
bmluZy5pbz6JAlcEEwEIAEEWIQTNQA+wVYvq6RRSVK4b+qum//veQwUCZUDUZwIb
AwUJA8JnAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRAb+qum//veQws3
D/45bQpJa8nxH0+rB0seaEMxHDxAXS1zfr90yagDS8UyUhRMhZ24m5XpJz6W/iA2
+kOjR5Ix4OGemMHC9pjLK75qGZZUX+ZQ2HnfNF3Vt/sVJJoqaUFr2/ZhFUcff1RO
VaIM8eTmDzpduxev7wZdNJWoPVe5Jw7CmsA52n2GUsoL+TKjo5KF2XJ13dtboQE3
cFOA+I/fGZIiAKT5m6QSqVdeSmfQozoOqeiRYZkWD34vDdbsps9NUbkTfi7q04+n
WbOLwuXCzKmbPj83HVtOzuIywgDJMFJF8e15Zvtt0j6WGyR9x8KToKQVaOp3CJbi
P8HXLPg3gb63D3GE59A5ipqIhyL05K+wdjObUjiIoQRn96M0d3AiEXzYnQ36fyi/
E2Y36qHZYfsOS/koBll33sLvBNKbF2G5qHJqAhysC4Bm64nVavisoE/0Gwq3Gnq/
VcPwLB7VnCP18BNhzszkWqVRQWkstxhWjEYnm2ucCF5HNmabA7g8N0HIk4DiGj35
zxWQ3zm5uME0IXPvpddkK+z4VsgkG/Myc4Bwo/Qot6hnsdLF9fECK3ccXqvpGz6w
Nb64LHsfbztn5NZH1dboS7HnvZuK/P3t9yI/tTn2cZvw+z+QKN9PtubP0Ihr+Ett
B3pbLOfG29rhhgjVSnz3vdl3x3uFQxoquMXoYkKb3Piuf7kCDQRlQNRnARAAqtN7
kF9U5MFsurYwmx3dmp6l2kFefyB7u15JPTCa4S5S4VF/usJqGbBPRcsWjyqEoCy/
AwrGbs7eDeyTAyqtwrZjicnFVO2vxaBfYP0hQRczv+dHmLfZs3vInFCF5sA+hAPS
nSBOqY53/vZeMDP38V+meKoU0t28b6eijQFMGzgcmxNHZ5ag60ZwUmDVYuiwYIT6
U1qDGXKFiFNu6lPsG+cPMvnPo0f1qPKEdzICuUfptP0vQGv6qCEuxbK1udJXkYJa
jFp9J07+xONsI013KWEQDaBD4QreqhBuJzoBJuuPrJqXJqSeVfY0S9I0h60t1suj
JnYsX3NB1DyRX5A724vWtxFry17C7+bFmwjoc4UnLtOAtAcnXBUZf/w7/Cp+qUhV
R2iPwRq3lHsN+OzJdAOeBbVyRhEGFFpBKUa/3HmPhDewWSkg+v7a0VWLNsbyJK8p
uhPivFBAp4DdaUfJg90uMduCy2Pt6Ktz+VRe9nrxOgGxbSW6IEn3d1JIEwzZCEuM
JhBNFpV/mJrxtnwqP5IcSGKk0xRM4p3c+BvrOP+2SylP/4aO9iZtFMB6wKBIRJid
jJd4ScZgiJ9wNSuz2LTQ4uC79zandxrqoxoLID/+asviMn8ZNX+xz2prXwcjtjl0
v36CeAY+TznbndUkRhaamI+bZAECMvMc/6/D3UEAEQEAAYkCPAQYAQgAJhYhBM1A
D7BVi+rpFFJUrhv6q6b/+95DBQJlQNRnAhsMBQkDwmcAAAoJEBv6q6b/+95D90cP
/j56eA31VoAP+aolNOEPvSR5v6D22fRn5JGS+EMFIBhndOIlt+plCXtjbjXjU18O
b7i6NApyPqo3T03h3Ix1bkoxoBQOVd4DXWBAJ1agelLP6lD4GuJKohNclbaSJm8E
aZhKOCW5cq3tQnK1wmn2BXS35IVY52NGvdKF8MY54UhHGilw45xZp3jf/0nN1Q/J
rLT2NYFD4lHEVFtrNLiY+MGK+0Dy0K0FjUWjCv7H00xUTtBRIScNwp+VrqCl4l2J
bvDH3WGRV5A2gCOUhnWZOkapvX5mB5emA+Pzlg8eFhCATntuXdahb4Es3NrDltKg
6cW+iXRl/dwT8NbOtUcz3YdhCInGqy99lhp9828EvkrJyS/QEfF8qRhh8SUgD06S
EGXH4Gu/AQDW07ATxev8j50cG8Z+MuQJfPIFKiORU3IFoXzkeu0AvoLrkEU9EYZo
SCJidRhV0dSnI3mV8a5RngJuslItzojfQb+yTJOkgHp2vfZXQFnSAkyLiAhkK5Y5
uBPmcYjdLGGpbWbmAyLL/BAUCa1IL/FiVc7j6dlgHEfowHUIz9x7Jox/Pb9tAPOV
iXVeH1BxL6bgFIAl1ucH4UUvU0+gTrftROCyyErB6WT9D/kewsDxs5mPq0zz8JsF
LhwA4HgngaqJhU8zxtDMotZFbGxYqzbG1uLFBIhC4fJs=VmOe


-----END PGP PUBLIC KEY BLOCK-----



Any questions on this topic?

Sign up for newsletters

Don't miss out on our latest news. Get the inside knowledge on product updates and upcoming events.

Privacy policy
© WE ARE 2024