Codecademy's Policy on Reporting Security Vulnerabilities

A security vulnerability refers to a flaw or weakness in a product or system that could compromise the availability or security of that product or system if exposed to attackers.

If you're a security researcher who wants to report a vulnerability, take a minute to review Codecademy’s responsible disclosure policy:

  1. We don't permit any security testing that attempts to degrade, interrupt, or deny service (DoS) to our users.
  2. Vulnerability research doesn't extend to accessing or modifying user data that doesn't belong to the researcher. All testing should be conducted against accounts that are under a researcher's control.
  3. We will make every attempt to respond in a timely manner as follows:
    • Acknowledgement of the vulnerability report
    • Timeframe for fixing the issue
    • Notification that the issue has been fixed

Notification must take place via email to Don't submit vulnerabilities on any Codecademy forums or comment pages. We expect researchers to keep the details of the vulnerability private until a fix is released.

Codecademy maintains a private bug bounty program which gives our internal application security team the ability to focus on securing the next generation of Codecademy’s products while interacting with a small, qualified community of external researchers. The program is invitation-only, based on the researcher’s reputation and previous work. Learn more by visiting our HackerOne page.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit one here.


Please sign in to leave a comment.