Teachable is committed to ensuring the safety and security of all of our users. Toward this end, Teachable has established this Responsible Disclosure Policy to accept vulnerability reports. If you believe that you have identified a potential security vulnerability, we appreciate your help in disclosing the vulnerability in accordance with the guidelines established in this policy.

We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our users. By responsibly submitting your findings to Teachable in accordance with these guidelines, Teachable agrees not to take legal action against you. Teachable reserves all of its legal rights in the event of any noncompliance.

We appreciate researchers assisting us in our security efforts, and thank you in advance for your submission.

Guidelines

We require that all researchers disclose potential vulnerabilities in accordance with the following guidelines:

Do not engage in any activity that can potentially or actually cause harm to Teachable, our users, or our employees.
Do not engage in any activity that can potentially or actually stop or degrade Teachable services or assets.
Do not engage in any activity that violates any applicable federal, state, local, or international law or regulation (including, without limitation, the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity).

Submission Rules

Please let us know if you encounter accessibility barriers on Teachable. You can provide feedback by writing to us at support@teachable.com or submitting a support ticket.

Out of Scope Vulnerabilities

Before reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are out of scope of this policy:

Clickjacking on pages with no sensitive actions.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Rate limiting or brute force issues on non-authentication endpoints.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]. Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing.
Open redirect - unless an additional security impact can be demonstrated.
Issues that require unlikely user interaction.

Teachable’s Commitment

If you responsibly submit a vulnerability report, we commit to:

Promptly acknowledge receipt of your vulnerability report (within two business days of submission).
Keep you reasonably informed of the status of any validated vulnerability that you report through this program.
Not pursue or support any legal action related to activities conducted under this policy.

Thank you for helping keep Teachable, our students, and creators safe!

If you have any questions about this Responsible Disclosure Policy, please contact us at security@teachable.com. Do not submit vulnerability reports to this address.