Bug Bounty Program


We are in the process of moving over to HackerOne. During this time, we’re pausing this program.

Introduction

At TeachFX, we value the security of our platform and recognize the importance of the developer and security researcher community in helping us maintain the highest standards of security and privacy for our users. Our Bug Bounty Program rewards security researchers who responsibly disclose vulnerabilities they've discovered in our systems. Please read the rules before proceeding.

Scope

Only the following domains and applications are considered in-scope.

  • api.teachfx.com

  • portal.teachfx.com

  • TeachFX mobile applications (iOS, Android)

Out-of-scope Vulnerabilities

Some examples of vulnerabilities that are out-of-scope:

  • Any HubSpot forms / live chat

  • Theoretical vulnerabilities without practical proof of exploit

  • Self-XSS

  • Denial of Service attacks

  • Issues in third-party services we use but don't control

Reward

The reward for vulnerabilities ranges from $100 to $5,000 based on the impact and severity of the finding. All rewards are paid in USD.

  • Critical vulnerabilities: Up to $5,000

  • High severity vulnerabilities: Up to $2,000

  • Medium severity vulnerabilities: Up to $500

  • Low severity vulnerabilities: $100

How to Report

  1. Email your findings to bugbounty@teachfx.com.

  2. Provide a detailed written report, including steps to reproduce, proof of concept, and any other information that may help us understand the nature and impact of the vulnerability.

  3. Please provide your contact details for further communication.

  4. You can expect a response from us within 3 weeks of submission

  5. Once you’ve completed testing, please delete your account(s).

Rules

  1. Do not disclose the vulnerability to the public until we've addressed it.

  2. Do not exploit the vulnerability beyond what's necessary to demonstrate it.

  3. Do not harm TeachFX or its users. Do not steal data or disrupt our services.

  4. Researchers must not violate any laws.

  5. All vulnerabilities must be new discoveries. Awards will be provided only to the first researcher who submits a particular vulnerability.

Legal

By participating in the TeachFX Bug Bounty Program:

  • You acknowledge that you have read and agree to our Terms of Service and Privacy Policy.

  • You grant TeachFX a perpetual, irrevocable license to use and share any information you provide to us as part of the program, without compensation.

  • You release TeachFX from any legal action related to your participation in this program.

Feedback and Updates

We value the security community's feedback on our program and are open to suggestions for improvements. We may also update the terms, scope, or rewards based on the feedback and the evolving security landscape.

Thank you for your help in keeping TeachFX and our users safe!