# Stile's Vulnerability Disclosure Policy ## Introduction Stile is committed to ensuring the privacy and security of our teachers and students: a vigorous, permission-less security testing culture is critical to maintaining our strong security posture. This policy describes what systems and types of security research are permitted by default, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. We strongly encourage you to contact us to report potential vulnerabilities in our systems. ## Guidelines This policy covers security research in which you: - Notify us as soon as practicable after you discover a real or potential security issue. - Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. - Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. - Immediately delete all copies of any sensitive data obtained during the course of testing - Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. - Do not submit an unreasonably high volume of low-quality reports. ## Reporting a vulnerability Please send all vulnerability reports to `security@stileeducation.com`, encrypted with the following PGP key if possible: https://stile-public-key-infrastructure.s3-ap-southeast-2.amazonaws.com/pgp/security-disclosure-public.txt A good vulnerability report ought to include: - A description of the vulnerability - An estimate of the impact (eg. what kind of access does the vulnerability allow) - Reproduction instructions, including any technical details, proof of concept code, screenshots etc. You may send your report anonymously, although we encourage you to send us contact information so that we can ask followup questions, notify you when the problem is fixed, and arrange payment of any bounty that you are eligible for. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must *stop* your test, notify us immediately, delete any sensitive data you have acquired, and not disclose this data to anyone else. ### What you can expect from us When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. Within 3 business days, we will acknowledge that your report has been received. To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. We will maintain an open dialogue to discuss issues. Once we have confirmed a serious issue, it will be fixed within 14 days. We may require you to delay publication of the vulnerability beyond that date so that we can apply additional remediations and privately notify any affected users. You should expect to be able to publish your findings within three months of notifying us, except in exceptional circumstances. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect other users of a product or service and not solely Stile or its partners, then we may share your report with the affected service vendors or software maintainers. We will not share your contact information without permission. ## Permission by Default If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Stile Education will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known. ## Test methods The following test methods are not authorized: - Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data - Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing ## Scope All systems operated by Stile Education, including those served under `stileapp.com` and `stileeducation.com` are covered by this policy. ## Bounty Stile offers a bounty of up to $50,000 AUD for serious vulnerabilities discovered and reported in accordance with the above policy. Whether a report is eligible for a cash reward, and the size of the reward will be decided at the sole discretion of Stile, based on the severity of the vulnerability and the quality of the report. Rewards will be paid within 90 days of disclosure via Bank Transfer, PayPal or other platform acceptable to both Stile and the reporter. If a report is determined to be eligible for a bounty, but payment can't be negotiated (for example: if the report was made anonymously, or if we can't contact the reporter in a reasonable time etc.) then Stile will donate the bounty amount to a charitable organisation of our choice in lieu of payment to the reporter. Any individual that has been engaged commercially by Stile (including but not limited to: employees, ex-employees, contractors, consultants, vendors and their employees) and their immediate family members are not eligible bounty recipients. Stile students and teachers *are* eligible recipients: if you've found a vulnerability while using Stile, please tell us!