Bug Bounty Program

Rewarding security researchers for responsibly finding vulnerabilities

Updated on June 3, 2020

CourseStorm strives to streamline access to education for all, and privacy and security are key to making sure students feel safe and satisfied while using our product. We welcome the opportunity for security researchers to report vulnerabilities to us as we continue to expand the offerings we provide to programs across the country.

Program Rules

Follow the rules below while researching and investigating.

Please set up a test catalog(s) to complete your research. To set up a test account, visit coursestorm.com and click “Try for Free” in the top right corner. When signing up, you must add +securityresearch to your email address before the @ symbol (for example, user+securityresearch@example.com). If you do not follow this convention and the rules below, your catalog site will be disabled if suspicious activity is discovered through our anti-fraud measures.

As general rules, do not do any research or testing in violation of law, and please respect the security, privacy, and user experience of our existing users and students while conducting your research.

  • Automated testing, DoS/DDoS, brute force, and other means that may have a measurable effect on system performance are not permitted.
  • Follow our Disclosure Policy (outlined below).
  • Make a good faith effort not to access or destroy another user’s data. Do not use assets (class information, personal information, credit cards, etc.) that belong to other individuals or programs.
  • Test only on your own catalog(s) when investigating, and do not interact with other accounts without the consent of their owners.
  • Do not use phishing, social engineering, or similar techniques to gain access via interactions with CourseStorm’s staff, contractors, or existing users.
  • Do not perform physical attacks against CourseStorm property, data centers, or customers.

Reporting Process

Please report any vulnerabilities to security@coursestorm.com. We suggest using the following format for a report:

Summary: A few sentences that summarize the reported vulnerability, including how it could be used to compromise security

Description: A fuller technical description of this particular vulnerability

Steps to Reproduce: A list of steps we can use to reproduce the vulnerability, preferably from the creation of a fresh CourseStorm catalog site

Supporting Material: Screenshots, logs, or articles that document the issue or how it was implemented in CourseStorm

We aim to have a first response to each report within two business days.

We appreciate detailed, step-by-step instructions in reports, preferably outlining directions from the creation of a fresh CourseStorm catalog. Completeness and replicability are two major factors we use when determining both eligibility for and extent of compensation (if applicable).

Please make sure that any screenshots or videos you include in your report are not accessible by the public.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve it. In order to protect our users’ privacy and safety, we ask that vulnerabilities aren’t disclosed publicly until a fix is in place.

  • Please do not release your findings to the public until we explicitly give release authorization.
  • Once a fix is available and we’re confident disclosure won’t compromise our users’ safety or privacy, we will review any relevant requests for disclosure.
  • For any disclosures, only display test data; do not publish personal or private information.

Rewards / Bounties

For a unique and replicable vulnerability that compromises security, we offer a bounty as long as the research performed to identify the vulnerability follows our Program Rules (outlined above). We’ll determine the amount of the bounty based largely on the quality of your submission, the degree of severity (low, medium, high, and critical), and other factors. We’ll stay in touch as we work on a resolution.

In most cases we will only reward the first person to report each unique issue to us. If a duplicate report contains significant additional information that helps us diagnose or resolve the issue, we may consider a separate reward.

Reports originating from countries against which the United States has sanctions or trade restrictions are ineligible for bounties.

Current CourseStorm employees, CourseStorm contractors, and former CourseStorm employees (for a period of one year after date of departure from CourseStorm) are not eligible for our bounty program.


While you’re researching, do not report or engage in the following. They will likely make your reports ineligible for our bounty program.

  • Reports or data generated by scanners
  • Reports of vulnerabilities in technology, infrastructure, etc. that are not shown to have a specific effect in CourseStorm
  • DoS, DDoS, brute force, dictionary, or similar attacks
  • Spamming
  • MITM or vulnerabilities requiring physical access to a victim’s device or account
  • Issues related to CourseStorm’s password requirements
  • Vulnerabilities on the www.coursestorm.com informational website (these reports should be submitted to the WordPress team)

Bugs that do not have security implications are appreciated, but they are not eligible for a bounty. These reports should be sent to support@coursestorm.com.

Thank you for helping keep CourseStorm and our users safe!