Responsible Disclosure Program
The security of users' data is of the highest importance to CommonLit. We want to maintain a safe environment for learners. If you've discovered or believe you have discovered potential security vulnerabilities in CommonLit, we appreciate your help and encourge you to disclose your findings to us as quickly as possible in a responsible manner.
We request that you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems.
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
- Do not submit a high volume of low-quality reports.
Types of testing
The following test types are not authorized:
- Network denial of service (DoS or DDoS) tests
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Issues not to Report
The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
- CSRF on forms that are available to anonymous users
- Disclosure of known public files or directories (e.g. robots.txt)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Logout Cross-Site Request Forgery (logout CSRF)
- Phishing or Social Engineering Techniques
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- Sender Policy Framework (SPF) configuration suggestions
Reporting Security Issues
If you believe you have discovered a security vulnerability issue, please share the details with CommonLit by filling the form below.
What you can expect from us:
- Bugcrowd will start actioning your report within 3 business days and we'll work with them to provide you regular updates.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- An open dialog to discuss issues.
Email communication between you and CommonLit, including without limitation, emails you send to CommonLit reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to CommonLit shall be considered non-proprietary. Commonlit, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, CommonLit and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to CommonLit for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting CommonLit a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform,