At Edlink, the security of our platform and the protection of school and developer data are paramount. Our Bug Bounty Program encourages collaboration with the security community to identify and remediate potential vulnerabilities, helping us maintain a robust and secure environment for everyone. We appreciate your efforts in making Edlink safer.
To report a vulnerability, please contact us at security@ed.link with detailed information. We are committed to working with researchers to validate and address reported issues promptly.
Vulnerability Impact and Rewards
We classify vulnerabilities into four tiers based on their potential impact. Rewards are structured as follows:
Low Impact: $100 These are issues with limited exploitability or impact. Examples include self-XSS that cannot target other users, disclosure of non-sensitive server configuration details, or missing security headers without direct exploitable consequences.
Medium Impact: $500 Vulnerabilities in this tier have a moderate impact. This could involve Stored XSS on less sensitive pages affecting other users, CSRF on significant actions without critical data exposure, or disclosure of moderately sensitive, non-PII data. Broken authentication or authorization leading to access to non-critical user data also falls here.
High Impact: $2,500 These are serious vulnerabilities that could lead to significant data exposure or unauthorized access. Examples include Stored XSS on highly sensitive pages, SQL Injection leading to disclosure of non-critical database information, significant PII disclosure for a subset of users, or privilege escalation to higher, but not full administrative, access.
Critical Impact: $5,000 Critical vulnerabilities pose an immediate and severe threat to our systems or data. This includes Remote Code Execution (RCE) on production servers, SQL Injection leading to full database compromise or mass PII disclosure, full authentication bypass, or unauthorized access to or modification of sensitive data for all users, such as all student PII or all integration secrets.
Responsible Disclosure
We ask that all security researchers adhere to responsible disclosure practices. This means:
- Report vulnerabilities privately to Edlink at security@ed.link as soon as you discover them.
- Provide us with a reasonable amount of time to investigate and remediate the issue before making any information public.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research. Do not access or modify user data without explicit permission.
- Only interact with accounts you own or with explicit permission from the account holder.
By following these guidelines, you help us protect our users and ensure a coordinated response to any potential threats. We are committed to working with you to understand and resolve vulnerabilities in a timely manner.