edX Responsible Security Disclosure Policy
(Last updated April 12, 2022)
edX recognizes and believes in the importance and value of security. For this reason, edX has a team of engineers who review, triage, and address all security vulnerabilities reported to edX. Please find below edX’s security policy, which includes a description of how to disclose a security vulnerability to edX, what actions edX will take following a disclosure, and edX's bug bounty program.
Disclosing a Security Vulnerability
If you believe that you have discovered a security vulnerability or otherwise suspicious activity relating to edx.org (or any subdomain) or the Open edX platform code base, please:
- report it to edX by emailing edX's security team at firstname.lastname@example.org;
- describe the nature of the vulnerability or activity; and
- provide sufficient detail in your report to enable edX to respond quickly reproduce and understand the vulnerability and respond effectively, including the following (as applicable):
- a textual description of the steps necessary to reproduce the issue;
- proof-of-concept code; and
- links to vulnerable code.
Upon receipt of your email, the edX security team will acknowledge the receipt of your email, review and triage your security vulnerability, and act accordingly. If necessary, the team will reach out to you for more information. The team will not provide communication on the status of the security vulnerability after it has been reviewed and triaged.
edX does not offer monetary bug bounties for security vulnerability disclosures. However, if you report something that the edX security team finds significant (in its sole discretion), the team may choose to provide a coupon code valued at up to US $150 that can be applied towards courses on www.edx.org as a token of edX’s gratitude. The value of this coupon will depend on the internally determined severity of your disclosed security vulnerability. Please note that disclosure of a potential security vulnerability does not guarantee a reward. For example, reports that are vague or only describe a low-impact, generic weakness without explaining how it directly results in a vulnerability on edx.org or other sites powered by the Open edX platform may not be considered for reward.
Out of Scope
If you're having an issue with an individual www.edx.org account, please visit the edX Learner Help Center for assistance.
There are many sites powered by the Open edX platform. If you have found a vulnerability that is specific to an Open edX deployment not run by edX LLC, please contact the operators of that site directly.