Bug Bounty Guidelines

Policy

Keeping user information safe and secure is a top priority and a core company value for us at Edmodo. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Edmodo users.

Submitting a Security Issue

Before submitting a security issue to Edmodo, please read this entire document. Once you have done so, please send an email to support@edmodo.com, preferably with “security issue” in the subject line. Once the report has been received, our security team will investigate the issues. We will respond to you within 10 business days with triage of the issue and/or any additional requests for clarification. 

Rewards

Edmodo provides rewards to vulnerability reporters at its discretion. Reward amounts vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. Here are some ranges of rewards for critical vulnerabilities affecting the core Edmodo application.

 

Severity

Example Issues

Reward

Time to fix

Low

Self XSS
DNS misconfiguration
Clickjacking
DoS against single users
File upload filter bypasses

$50-$100

90 days

Medium

CORS misconfiguration

CSRF misconfiguration

Password reset errors

Full site DoS

Access control (connected users)

Open redirects

$100-$200

90 days

High

Access control (any user)

Access control (internal tools)

Source code access

PII leaks

SSRF

Account takeover

$200-$500

30 days

Critical

Remote code injection
SQL injection

$500+

30 days

 

These values are indicative and we reserve the right to determine amount or even whether a reward should be granted. We typically reward lower amounts for vulnerabilities that require significant user interaction. We also might pay higher rewards for clever or severe vulnerabilities. 

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward.

Rewards will be paid through PayPal. Rewards will be paid in US Dollars. Recipients are responsible for any fees related to obtaining the reward funds. 

The following is a list of vulnerabilities that are not considered in scope:

  • Presence/absence of SPF/DKIM/DMARK records
  • Policies concerning password complexity, email verification, or account recovery link expiration
  • Login/logout CSRF
  • Attacks requiring physical access to a user’s device / MiTM attacks requiring installation of a forged TLS certificate
  • Missing security headers (such as X-Content-Type-Options) that do not directly lead to a security vulnerability
  • Missing best practices (we require evidence of a security vulnerability)
  • Host header injection
  • Use of known buggy libraries or software versions with evidence of exploitability; including vulnerabilities that require the user to be using outdated browsers or platforms
  • Reports of spam (including the ability to send emails with rate limits)
  • Presence/absence of autocomplete on web forms
  • Reports involving validating whether a given username/email is in use at Edmodo
  • Hyperlink injection in emails sent by Edmodo
  • Phishing based on unicode/punycode encoding issues
  • Content injection vulnerabilities without being able to run JavaScript
  • Presence/absence of virus scanning on user uploading content (including stipping EXIF tags from images and blocking Excel formulas from CSV uploads)
  • Potential subdomain takeovers for domains still in use 

Applications in Scope

Current applications in scope are the Edmodo iOS and Android applications and the Edmodo website (including the following domains):

  • www.edmodo.com, new.edmodo.com - Legacy/New web UI
  • {school}.edmodo.com - School subdomains; this includes all domains that load the same or similar content to www.edmodo.com or new.edmodo.com with additional school branding
  • api.edmodo.com - API used by new.edmodo.com and third party applications
  • fatbird.edmodo.com, waterboy.edmodo.com - Domains used for email campaigns
  • plumber.edmodo.com - Domains used for behind the scenes functionality for the main web UI

The following domains are not included in this program (exceptions may be made for high or critical severity issues or issues that impact the domains above):

  • blog.edmodo.com, developers.edmodo.com, go.edmodo.com  - WordPress installations
  • shop.edmodo.com, support.edmodo.com - Maintained by a third party

Acquisitions are typically not in the scope of this program. We may still reward anything with significant impact across our entire security posture, so we encourage you to report such bugs via this program.

Eligibility and Responsible Disclosure

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

  • Share the security issue with us in detail
  • Please be respectful of our existing applications. Spamming forms through automated vulnerability scanners will not result in any bounty or award since those are explicitly out of scope
  • Give us a reasonable time to respond to the issue before making any information about it public (see expected timelines above)
  • Do not access or modify our data or our users’ data without explicit permission of the owner
  • Only interact with your own accounts or test accounts for security research purposes
  • Contact us immediately if you do inadvertently encounter user data
  • Not view, alter, save, store, transfer, or otherwise access user data, and immediately purge any local information upon reporting the vulnerability to Edmodo
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Otherwise comply with all applicable laws.

We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior. We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with Edmodo’s bug bounty policy, Edmodo will take steps to make it known that your actions were conducted in compliance with this policy.

The Fine Print

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We will not apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Edmodo employees and their family members are not eligible for bounties.