Responsible Security Reporting Program
GoGuardian has a team of industry-leading engineers who recognize that there's a lot to learn from those who use our products. This Responsible Security Reporting Program allows you to alert GoGuardian of possible security vulnerabilities. We encourage the reporting of security vulnerabilities found in GoGuardian products.
If you find a security vulnerability and wish to participate in our Responsible Security Reporting Program, please submit a report of your discovery using the instructions below to [email protected].
Program Scope
This program covers legitimate reports and takes action to correct any security vulnerability that would materially impact the safety of our customers. Bugs are not in the scope of this program and are not eligible for a reward. You can still report non-security-related bugs to [email protected].
In-scope
Latest public versions of:
- GoGuardian Admin
- GoGuardian Teacher
- GoGuardian Beacon
- GoGuardian DNS
- GoGuardian Fleet
- GoGuardian Director
- GoGuardian Extension
Examples of In-scope
- Remote Code Execution
- Unrestricted file system or database access
- Logic flaw bugs leaking or bypassing significant security controls
Out-of-scope
- Any bugs that are not security vulnerabilities
- Social engineering
- Phishing attacks
- Email Spoofing
- Previously reported security vulnerability
Guidelines
Please report security vulnerabilities responsibly. Informing GoGuardian of any potential security issue(s) will help us focus on areas in future versions of our products. We ask that you commit to protecting the safety of our users and their students, so please allow us time to review submissions through this program and correct any security vulnerabilities that you may discover.
To remain eligible for a reward, it is important that you:
- Do not publicly disclose or exploit any vulnerabilities
- Do not access non-public data any more than is necessary to demonstrate any vulnerability
- Do not modify, delete, or store any data
Report Submissions
In order for our engineering team to quickly pinpoint and understand the impact of the security vulnerability that you are disclosing, we need your help!
An eligible report will:
- Identify an original and previously unreported security vulnerability
- Report a security vulnerability that has been tested against the most recent publicly available version of GoGuardian products
- Include clear documentation on the security vulnerability and detailed instructions on how to reproduce it
- Be reproducible by GoGuardian
- Include a screenshot and/or video of the unintended result(s) of the security vulnerability
Reports must be submitted to [email protected] with the following information:
- Chrome Browser Version and ChromeOS version (if applicable)
- Detailed steps which will reproduce the problem
- Expected result(s)
- Unintended result(s)
- Console output
- Network tab screenshots (if possible)
- Any additional information
Rewards
GoGuardian, in its sole discretion, will reward individuals based on the severity, impact, and quality of their report. Only the first report we receive for any given security vulnerability that meets the criteria above will be eligible for a reward. If a report is submitted by a team of individuals, the reward will be divided amongst them.
We happily accept anonymous security vulnerability reports, however, we cannot reward or send you a thank you.
This is a discretionary program and GoGuardian reserves the right to change or discontinue any aspect or feature of the program.