Responsible Disclosure Policy

Please read this document carefully.
Last updated on Feb 3rd, 2026

Teachable is committed to ensuring the safety and security of all of our users. Toward this end, Teachable has established this Responsible Disclosure Policy to accept vulnerability reports. If you believe that you have identified a potential security vulnerability, we appreciate your help in disclosing the vulnerability in accordance with the guidelines established in this policy.

We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our users. By responsibly submitting your findings to Teachable in accordance with these guidelines, Teachable agrees not to take legal action against you. Teachable reserves all of its legal rights in the event of any noncompliance.

We appreciate researchers and other professionals assisting us in our security efforts, and thank you in advance for your submission.

Guidelines:

  • We ask that all researchers disclose potential vulnerabilities in accordance with the following guidelines:
    • Do not engage in any activity that can potentially or actually cause harm to Teachable, our users, or our employees.
    • Do not engage in any activity that can potentially or actually stop or degrade Teachable services or assets.
    • Do not engage in any activity that violates any applicable federal, state, local, or international law or regulation (including, without limitation, the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, (iii) the researcher is conducting research activity, or (iv) the owner of data is located).

Submission Rules

  • Please include the following information in your vulnerability report:
    • Detailed description of the vulnerability.
    • Proof of concept (PoC) - steps to reproduce the vulnerability.
    • Researcher's contact information. Anonymous submissions are allowed.

Out of Scope Vulnerabilities

  • Before reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are out of scope of this policy:
    • Clickjacking on pages with no sensitive actions.
    • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
    • Attacks requiring MITM or physical access to a user's device.
    • Previously known vulnerable libraries without a working Proof of Concept.
    • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
    • Missing best practices in SSL/TLS configuration.
    • Any activity that could lead to the disruption of our service (DoS).
    • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
    • Rate limiting or brute force issues on non-authentication endpoints.
    • Missing best practices in Content Security Policy.
    • Missing HttpOnly or Secure flags on cookies.
    • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
    • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
    • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
    • Tabnabbing.
    • Open redirect - unless an additional security impact can be demonstrated.
    • Issues that require unlikely user interaction.

Disclosure Timeline

We ask that researchers allow Teachable approximately 90 days to address any validated vulnerabilities before public disclosure. We are committed to working in coordination with researchers to determine an appropriate disclosure timeline.

Teachable's Commitment

  • If you responsibly submit a vulnerability report, we commit to:
    • Promptly acknowledge receipt of your vulnerability report.
    • Keep you reasonably informed of the status of any validated vulnerability that you report through this program.
    • Not pursue or support any legal action related to activities conducted under this policy.
    • Provide public acknowledgment or credit upon request.

Thank you for helping keep Teachable, our students, and creators safe!

If you have any questions about this Responsible Disclosure Policy, please contact us at bugbounty@teachable.com.