edX Responsible Security Disclosure Policy
(Last updated 12/18/2019)
edX recognizes and believes in the importance and value of security. For this reason, edX has a team of engineers who review, triage, and address all security vulnerabilities reported to edX. Please find below edX’s security policy, which includes a description of how to disclose a security vulnerability to edX, what actions edX will take following a disclosure, and edX's bug bounty program.
Disclosing a Security Vulnerability
If you believe that you have discovered a security vulnerability or otherwise suspicious activity on edX, please:
- report it to edX by emailing edX's security team at firstname.lastname@example.org;
- describe the nature of the vulnerability or activity; and
- provide as much detail as possible to help edX respond quickly and effectively, including
- proof-of-concept code,
Upon receipt of your email, the edX security team will acknowledge the receipt of your email, review and triage your security vulnerability, and act accordingly. If necessary, the team will reach out to you for more information. The team will not provide communication on the status of the security vulnerability after it has been reviewed and triaged.
As a non-profit organization, edX does not offer monetary bug bounties for security vulnerability disclosures. However, if you report something that the edX security team finds significant (in its sole discretion), the team may choose to provide a coupon code valued at up to $150 that can be applied towards courses on edx.org as a token of edX’s gratitude. The value of this coupon will depend on the internally determined severity of your disclosed security vulnerability.
Please note that disclosure of a potential security vulnerability does not guarantee a reward.