If you believe that you have found a security vulnerability on Socrative, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page, including our responsible disclosure policy.
The only target in scope is b.socrative.com. All others such as
help.socrative.com, etc. are out of scope.
Responsible disclosure policies
Socrative aims to keep its service safe for everyone, and data security is of utmost priority. If you're a security researcher and have discovered a security vulnerability in the service, we appreciate your help in disclosing it to us in a responsible manner. In return, we promise to investigate reports promptly.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
Performing actions that may negatively affect Socrative or its users (e.g. Spam, Brute Force, Denial of Service, etc).
Accessing, or attempting to access, data or information that does not belong to you. If you want to test cross-account access please sign up for additional free accounts.
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
Performing automated vulnerability scans.
Attempting non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Theoretical XSS or Self-XSS attacks without evidence of exploitability, such as input being reflected in response.
Email and account policies such as reset method and password complexity.
Other important responsible disclosure policies to make note of:
The target URL is the same used by our customers. Please keep this in mind and act accordingly.
No attacks against Socrative's existing user base.
No DDoS attacks.
This is Socrative's primary production environment. We accept valid PoCs of app-level Denial of Service vulnerabilities, but PoCs that intentionally stress or risk the availability of our services will be considered abuse.
Do not create more than 3 accounts as part of your testing. Failure to comply may result in your account access being blocked.
All submissions made to Socrative shall be Socrative’s “Confidential Information” and must be kept confidential and only used in connection with the researcher’s activities in connection with this Policy. You may not use, disclose or distribute any such Confidential Information without Socrative's prior written consent.
In the event that your security vulnerability results in any unauthorized access to or disclosure of “personal information”, you agree that you shall not export, collect or otherwise use such personal information and you shall notify Socrative immediately of any access to or disclosure of such information.
False-positive and/or very minor criticality that will not result in a
change of code.
We are aware of the issues from any other source.
Vulnerabilities like insecure cookies, clickjacking or insufficient
password complexity are generally of low criticality as they are
dependant on other issues and cannot be exploited by themselves.
Cross-site request forgery (XSRF or CSRF) vulnerabilities or those
that might result in the changing of user's data.
Vulnerabilities of high criticality are those that would result in
bypassing authentication. An example of a high critical vulnerability
is a successful SQL-injection that could be used to read data, delete
users, or other kinds of database modifications.
We use OWASP_Risk_Rating_Methodology as our classification guide.
Liability and Indemnification
Socrative may choose to compensates security researchers based on the following factors:
The severity of the issue identified (we use the OWASP Risk Rating Methodology).
The quality of the reporting.
Socrative’s internal risk assessment of the issue.
Whether or not the issue has already been disclosed to Socrative prior to your submission (we only pay out once per issue).
Socrative will work with the researcher to facilitate payment. Payment amounts are entirely at Socrative’s discretion — which is something you agree to when submitting bugs as part of this program. You are responsible for paying any taxes associated with your receipt of compensation.
In order to be eligible to receive compensation, the following requirements and guidelines apply to all researchers submitting bug reports:
The researcher submitting the bug must not be a current of former (in the past six months before making the submission) employee of subcontractor of Socrative or any of its affiliates, or an immediate family member or household member of an employee of Socrative or any of its affiliates.
The researcher submitting the bug must not be the author of the vulnerable code.
The researcher must not disclose the bug publicly before a fix is released or otherwise try to exploit it
How to report security vulnerabilities
Please do not publicly disclose these details without the express written consent from Socrative.
When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it.
Your input and feedback on our security are always appreciated. As much as we want to respond to all reports, it’s not feasible for us to do so. We typically only respond to vulnerability reports that are classified as High or will receive a reward.
Reports classified as Low, Duplicate, Declined will usually not receive a response but will be added to our internal issue tracker.