A security vulnerability refers to a flaw or weakness in a product or system that could compromise the availability or security of that product or system if exposed to attackers.
If you're a security researcher who wants to report a vulnerability, take a minute to review Codecademy’s responsible disclosure policy:
- We don't permit any security testing that attempts to degrade, interrupt, or deny service (DoS) to our users.
- Vulnerability research doesn't extend to accessing or modifying user data that doesn't belong to the researcher. All testing should be conducted against accounts that are under a researcher's control.
- We will make every attempt to respond in a timely manner as follows:
- Acknowledgement of the vulnerability report
- Timeframe for fixing the issue
- Notification that the issue has been fixed
Notification must take place via email to firstname.lastname@example.org. Don't submit vulnerabilities on any Codecademy forums or comment pages. We expect researchers to keep the details of the vulnerability private until a fix is released.
Codecademy maintains a private bug bounty program which gives our internal application security team the ability to focus on securing the next generation of Codecademy’s products while interacting with a small, qualified community of external researchers. The program is invitation-only, based on the researcher’s reputation and previous work. Learn more by visiting our HackerOne page.