If you believe that you have found a security vulnerability on Socrative, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page, including our responsible disclosure policy.
The only target in scope is b.socrative.com. All others such as
help.socrative.com, etc. are out of scope.
Responsible disclosure policies
Socrative aims to keep its service safe for everyone, and data security is of utmost priority. If you're a security researcher and have discovered a security vulnerability in the service, we appreciate your help in disclosing it to us in a responsible manner. In return, we promise to investigate reports promptly.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Socrative or its users (e.g. Spam, Brute Force, Denial of Service, etc).
- Accessing, or attempting to access, data or information that does not belong to you. If you want to test cross-account access please sign up for additional free accounts.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Performing automated vulnerability scans.
- Attempting non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Other important responsible disclosure policies to make note of:
- The target URL is the same used by our customers. Please keep this in mind and act accordingly.
- No attacks against Socrative's existing user base.
- No phishing.
- No DDoS attacks.
- This is Socrative's primary production environment. We accept valid PoCs of app-level Denial of Service vulnerabilities, but PoCs that intentionally stress or risk the availability of our services will be considered abuse.
- Do not create more than 3 accounts as part of your testing. Failure to comply may result in your account access being blocked.
False-positive and/or very minor criticality that will not result in a
change of code.
We are aware of the issues from any other source.
Vulnerabilities like insecure cookies, clickjacking or insufficient
password complexity are generally of low criticality as they are
dependant on other issues and cannot be exploited by themselves.
Cross-site request forgery (XSRF or CSRF) vulnerabilities or those
that might result in the changing of user's data.
Vulnerabilities of high criticality are those that would result in
bypassing authentication. An example of a high critical vulnerability
is a successful SQL-injection that could be used to read data, delete
users, or other kinds of database modifications.
How to report security vulnerabilities
Please do not publicly disclose these details without the express written consent from Socrative.
When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it.
Your input and feedback on our security are always appreciated. As much as we want to respond to all reports, it’s not feasible for us to do so. We typically only respond to vulnerability reports that are classified as High or Medium or will receive a reward.
Reports classified as Low, Duplicate, Declined will usually not receive a response but will be added to our internal issue tracker.