Vulnerability disclosure

If you believe you’ve found a security issue in the Institute platform, please tell us. We take reports seriously and will respond. There is no formal bug-bounty program, but we credit reporters who ask for credit.

How to Report

with:

• A description of the issue and its impact
• Steps to reproduce, or a proof-of-concept payload
• Affected URL(s) and any HTTP requests / responses
• Your name and how (if at all) you’d like to be credited

What We Commit To

• Acknowledge your report within 3 business days
• Provide an initial assessment within 7 business days
• Keep you informed of remediation progress
• Credit you in release notes if you wish, once a fix is shipped
• Not pursue legal action against good-faith research that follows the rules below

In Scope

• https://institute-platform.vercel.app and any future production domain
• Server-side logic in this codebase
• Authentication / authorization bugs, injection, SSRF, sensitive data exposure

Out of Scope

• Our underlying infrastructure providers (report those issues directly to the provider)
• Findings that require physical access, social engineering of staff, or destructive testing
• Rate-limit hardening, missing security headers, or theoretical issues without a working proof-of-concept
• Findings against learner data that the user themselves owns and consents to

Rules for Good-Faith Research

• Do not access, modify, or exfiltrate data that isn’t yours
• Do not run automated scanners or perform DoS testing
• Give us a reasonable time to fix before public disclosure (usually 90 days)
• Don’t use findings to compromise other users