Last updated: July 14th, 2025
At Scholar Within, we take the security of our systems seriously and deeply value the contributions of the security community. Responsible disclosure of security vulnerabilities helps protect our users and maintain the integrity of our platform.
Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, disruption of user experience, degradation of service, and destruction or unauthorized access to data
- Conduct research strictly within the defined scope below
- Use our designated communication channel to report any findings
- Keep all vulnerability information confidential between yourself and Scholar Within until we’ve had 90 days to investigate and resolve the issue.
If you follow these guidelines, we commit to:
- Not pursue or support legal action related to your research
- Work with you to understand and address the issue promptly (including an initial confirmation within 7 business days of your submission)
- Acknowledge your responsible disclosure, if you’re the first to report the issue, and we make a change as a result
Scope
- https://scholarwithin.com
- Scholar Within’s Summer Reading Program, Homeschool Reading Program, Spelling Program, Fluency Program, and all related subdomains and web applications
Out of Scope
The following are outside the scope of this policy:
- Services hosted by third-party providers (e.g., Stripe, ConvertKit, Mailchimp, AWS)
- Physical security tests (e.g., office access, tailgating)
- Social engineering attacks (e.g., phishing, vishing)
- Denial of Service (DoS/DDoS) or brute force attacks
- UI/UX bugs, spelling errors, or cosmetic issues
- Any systems or apps not explicitly listed in the “Scope” section
Things We Do Not Want to Receive
Please do not include the following in your reports:
- Personally Identifiable Information (PII)
- Credit card or payment data
How to Report a Security Vulnerability
If you believe you’ve found a security vulnerability in our systems, please contact us at hello@scholarwithin.com. When reporting, include as many of the following details as possible to help us assess and address the issue:
- A summary of the vulnerability and how it was discovered
- The type and severity of the issue
- Technical details describing how the vulnerability works
- Steps to reliably reproduce the issue, including relevant URLs or system areas
- Proof-of-concept materials, such as scripts, screenshots, or screen recordings
- The potential impact on systems, data, or users
- Any suggested remediation or mitigation
- Your name or handle and a link for optional public recognition
Responsible Research and Good Faith Commitment
While we reserve the final and sole discretion to determine whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you follow the terms outlined below during your security research and vulnerability disclosure process:
By submitting a vulnerability report, you agree to:
- Conduct testing solely to identify and report security vulnerabilities;
- Avoid causing harm, including no data destruction, unauthorized access, or service disruption;
- Limit exploitation to what is minimally necessary to confirm the vulnerability
- Avoid accessing or using any data that is not your own. If access to data is inadvertent, report it and delete it immediately
- Not retain, exfiltrate, or share any data accessed during testing
- Coordinate with us and refrain from public disclosure until receiving written permission. Note: Scholar Within supports your right to publicly disclose vulnerabilities. We only ask for coordinated timing to avoid undue risk to our systems and users.
- Never attempt to compromise accounts that do not belong to you
- Avoid social engineering tactics, including phishing or vishing, against Scholar Within staff
- Never use the threat of disclosure to demand payment or compensation
- Not be subject to U.S. government sanctions or reside in a sanctioned country
- Comply with all applicable laws during your research activities
Changes to This Policy
Scholar Within reserves the right to modify this Vulnerability Disclosure Policy at any time. Updates will be posted with a revised “last updated” date. Any vulnerabilities reported before such changes will remain governed by the version of the policy in effect at the time of disclosure.
