A security vulnerability refers to a flaw or weakness in a product or system that could compromise the availability or security of that product or system if exposed to attackers.
If you're a security researcher who wants to report a vulnerability, take a minute to review Codecademy’s responsible disclosure policy:
- We don't permit any security testing that attempts to degrade, interrupt, or deny service (DoS) to our users.
- Vulnerability research doesn't extend to accessing or modifying user data that doesn't belong to the researcher. All testing should be conducted against accounts that are under a researcher's control.
- We will make every attempt to respond in a timely manner as follows:
- Acknowledgement of the vulnerability report
- Timeframe for fixing the issue
- Notification that the issue has been fixed
Please do not submit vulnerabilities on any Codecademy forums or comment pages. We expect researchers to keep the details of the vulnerability private until a fix is released.
Please email our Customer Support team with a brief description of the vulnerability you've discovered along with your HackerOne email address so you may be invited to the program.
Codecademy maintains a private bug bounty program which gives our internal application security team the ability to focus on securing the next generation of Codecademy’s products while interacting with a small, qualified community of external researchers. The program is invitation-only, based on the researcher’s reputation and previous work. Learn more by visiting our HackerOne page.