Skip to Content Skip to Footer

Vulnerability Disclosure Policy

As a provider of technology solutions to schools, Amplify’s commitment to data privacy and security is essential to our organization. Amplify demonstrates that commitment in part through the physical, technical, and administrative safeguards we maintain to protect student data and other sensitive information entrusted to our care.

Amplify looks forward to working with the security community to find security vulnerabilities and support our efforts to keep our data and systems safe and secure.

Before reporting a vulnerability, please read our program rules, eligibility overview, report submission rules and guidelines, legal terms, and out-of-scope list set out below.

General Rules

  • We appreciate reports on any Amplify-owned asset, but only vulnerabilities that prove to be outside of expected behavior are eligible for acceptance.
  • Reports involving third party services or providers not under Amplify’s control are out-of-scope for submission.
  • Amplify places a high priority on privacy. Vulnerabilities in the areas of inadvertent exposure of our customers’ personally identifiable information (PII) are considered to be of Critical severity.
  • We classify vulnerability severity per CVSS (the Common Vulnerability Scoring Standard). These are general guidelines, and the ultimate decision over a reward – whether to give one and in what amount – is a decision that lies entirely within our discretion on a case-by-case basis.
  • In order to receive an award for validated reports, you must have a HackerOne account. Please note reward decisions are subject to the discretion of Amplify. Please note these are general guidelines, and that reward decisions are subject to the discretion of Amplify.
  • Only interact with test accounts that you created via self sign-up or were provided by Amplify. The use of any credentials outside of these areas for testing purposes, including legacy credentials supplied through the program and leaked credentials from third parties is strictly prohibited.
  • Do not contact Amplify’s customer support for questions or to submit a vulnerability report.
  • Amplify may, in its sole discretion, disqualify you if you breach this policy or fail to comply with any of the program’s rules and terms.
  • Amplify reserves the right to cancel or modify this program without notice at any time.

Eligibility

  • You are not eligible for participation if you 1) are employed by Amplify or any of its affiliates 2) are an immediate family member of a person employed by Amplify or any of its affiliates or 3) left the employment of Amplify or its affiliates or subsidiaries within the past (12) months.
  • You are not eligible for participation if you have been prohibited in writing from participating in the Bug Bounty Program by Amplify at any time.
  • You may not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to conducting your tests.
  • You may not compromise the privacy or safety of our customer and the operation of our services;
  • You may not cause harm to Amplify, our customers, or others;
  • You must follow the policy guidelines to responsibly disclose vulnerabilities to Amplify.

Vulnerability Submission Rules & Guidelines

  • Any testing conducted on customer data or accounts is strictly prohibited and will result in removal from the program.
  • If during the course of testing you encounter any sensitive data outside of your test accounts (including student or teacher names, login info, assessment data, activity data, and student work, etc.), please cease testing immediately and report what you have found. DO NOT include any text, screenshots, etc. with PII in the report. This action safeguards both potentially vulnerable data and yourself.
  • Do not access, download, or share any data you encounter in your testing.
  • Only interact with test accounts that you created or that we provided. The use of any credentials outside of these areas for testing purposes is strictly prohibited.
  • Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • In some cases, you may not have all of the context information to assess the impact of a vulnerability. If you’re unsure of the direct impact but are reasonably certain that you have identified a vulnerability, we encourage you to submit a detailed report and state the open questions on impact.
  • When duplicate submissions for the same vulnerability occur, we only award the first report that was received, provided that it can be fully reproduced.
  • Multiple reports describing the same vulnerability against multiple assets or endpoints must be submitted within a single report.
  • Avoid destruction of data and interruption or degradation of our service.
  • Proof of Concept (POC) videos that do not include PII are highly recommended to help verify the issue, provide clarity, and save time on triage.
  • Please provide timely responses to any follow-up questions and requests for additional information.
  • Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as to how the decision was made.
  • Reports submitted using methods that violate policy rules will not be accepted and may result in account suspension from/denial of entrance to the program.
  • Please refer to any noted out-of-scope areas listed under Out-of-Scope Vulnerabilities.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out-of scope. In addition, please refer to any noted Out of Scope areas listed under the program assets.

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • XSRF that requires the knowledge of a secret.
  • Automated tools that could generate significant traffic and possibly impair the functioning of our services.
  • Testing or demonstrating the ability to upload unlimited audio/video files to exhaust resources.
  • Leaked credentials from third party providers, including invalid or stale employee credential dumps, and/or leaked personal information of Amplify staff.
  • Leaked credentials for Amplify customers not caused by vulnerabilities in our systems.
  • Vulnerabilities identified via third party services or providers where Amplify is not the owner.
  • Issues that merely result in spam/annoyance without additional impact (e.g sending emails without sufficient rate limiting)
  • Attempts to access our offices or data centers.
  • Any activity that could contribute to the disruption of our service (DoS). Automated scanning tests should be kept to 10 requests per second or less.
  • Self XSS.
  • Broken links and/or crashes in general.
  • Issues that require unlikely user interaction.
  • Issues that do not affect the latest version of modern browsers
  • Issues that require physical access to a victim’s computer/device.
  • Disclosure of information that does not present a significant risk
  • Please refer to any noted out-of-scope areas listed under program assets.

Legal

  • Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.
  • Researchers must follow HackerOne’s disclosure guidelines. Public disclosure or disclosure to other third parties without the explicit permission of Amplify is prohibited.
  • We will not take legal action against you if vulnerabilities are found and responsibly reported in compliance with all of the terms and conditions outlined in this policy.
  • Amplify reserves the right to modify the terms and conditions of this program without notice at any time, and your participation in the Program constitutes acceptance of all terms.

Submit Vulnerability Report

NO PURCHASE NECESSARY. A PURCHASE DOES NOT INCREASE YOUR CHANCES OF WINNING. VOID WHERE RESTRICTED OR PROHIBITED BY LAW.

These Terms and Conditions (the “T&Cs”) apply to each sweepstakes offered by Amplify Education, Inc. (the “Sponsor”) on a webpage, email, or other document that links to these T&Cs (the “Entry Page”). For detailed rules for each sweepstakes, please review the sweepstakes rules on the Entry Page (such rules, the “Sweepstakes Rules”). These Terms and Conditions, together with the Sweepstakes Rules, will comprise the “Official Rules” for the sweepstakes.

To enter

Fill out the entry form on the Entry Page. Limit of one (1) entry per person using only one (1) email address for each drawing conducted during the sweepstakes period. Eligibility of individual entries will be at the sole discretion of the Sponsor, for any reason or for no reason, though specific reasons for disqualification may include use of inappropriate language. Entries generated by script, macro, mechanical or other automated means and entries by any means which subvert the entry process are void. Multiple entries received from any person in excess of the stated limitation will be void. Sponsor is not responsible for incomplete, lost, late, stolen, misdirected, damaged, illegible entries, for address changes of entrants, or for malfunctions of electronic or telephone equipment, computer hardware or software, failure of any entry to be received on account of technical problems or traffic congestion on the Internet, or any combination thereof, including any injury or damage to any entrant’s or any other person’s computer or other property related to or resulting from participation in the sweepstakes, or for other problems related to electronic entries. All entries become the property of Sponsor and will not be returned.

Eligibility

In addition to any eligibility restrictions contained in the Sweepstakes Rules, each sweepstakes is open only to individual legal residents of the states of the United States or the District of Columbia, except for residents of Rhode Island, who are at least 13 years of age or older as of the time of entry.

  • Minors – Parents and Guardians: An eligible person under the age of majority in such person’s jurisdiction must have his/her parent’s or legal guardian’s consent to enter this sweepstakes. The parent(s) or legal guardian(s) of an entrant under the legal age of majority in his/her jurisdiction of residence (a) will ensure that the entrant in respect of whom they agree to the Official Rules will comply with the Official Rules; and (b) warrants that he/she agrees to the Official Rules and gives the consents contained herein, including permission for his/her child/ward to participate in this sweepstakes. The parents(s) or legal guardian(s) of each such entrant agrees to indemnify the Released Parties (as defined below) for and against: (i) any claims made by the entrant, his or her legal guardian(s), or any member of his or her family against the Released Parties in connection with this sweepstakes; and (ii) any losses (including any liability) caused by any conduct of the entrant that is inconsistent with the Official Rules.
  • Teachers/School Personnel: By entering this sweepstakes, you represent and warrant that your participation in this sweepstakes complies with your school, institution, school board and school district policies. Any entry submitted in violation of such policies may result in disqualification. Verification: Amplify reserves the right to verify an individual’s eligibility, compliance with applicable policies in the case of teachers and school personnel and, if applicable, a parent’s or legal guardian’s consent to enter the sweepstakes by requesting proof of identity, compliance, or eligibility in the form acceptable to Amplify. Failure to provide such proof may result in disqualification, such that entrant will no longer be eligible to participate in the sweepstakes and will have no recourse or other opportunity to submit an entry.
  • Entrant: In the event of a dispute regarding any entry, the entry will be deemed made by the authorized account holder of the e-mail address submitted at the time of entry (i.e., the natural person who is assigned to an email address by an Internet access provider, online service provider or other organization responsible for assigning email addresses for the domain associated with the submitted e-mail address).
  • Ineligibility: Employees of Amplify, its advertising and promotion agencies, its contest administration agents, and each of Amplify’s and such agencies’ respective parent companies, subsidiaries and affiliates (all of the foregoing, the “Sweepstakes Entities”), and such employees’ immediate family and household members, are not eligible.

Drawing

Winners will be selected on the date(s) specified in the Sweepstakes Rules (the “Drawing Dates”). Each winner be selected in a random drawing, from all eligible entries received since the beginning of the sweepstakes period or the prior Drawing Date, as applicable. Winner does not need to be present to win. The drawing(s) will be conducted by Sponsor or its designee, the judge of the sweepstakes, whose decisions are final and binding on all matters relating to the sweepstakes. Winner will be required to sign and return an affidavit of eligibility/liability and publicity release, or the prize will be forfeited and an alternate winner selected.

Prize and odds of winning

The Prizes and number to be awarded are specified in the Sweepstakes Rules. Odds of winning depend on the number of eligible entries received. Prizes will be awarded. No prize substitutions, upgrades or cash equivalents, except at the sole discretion of the Sponsor if an advertised prize becomes unavailable. Prizes are non-transferable. All taxes, if any, associated with the prize are the winner’s sole responsibility.

General

By entering, entrants agree to: (1) release the Sponsor, its agents, and any platforms used to conduct the sweepstakes, such as Facebook, Twitter, or others (each, a “Platform” and together with Sponsor and its agents, the “Released Parties”), from all liability, injuries, loss and/or damage of any kind arising from their participation in the sweepstakes and the acceptance, possession and use/misuse of any prize; (2) to be bound by the Official Rules and the decisions of the judge; and (3) to be contacted by Sponsor by mail, telephone and/or email regarding the sweepstakes. The sweepstakes is in no way sponsored, endorsed or administered by, or associated with, any Platforms used to promote it. By accepting a prize, winner consents to the use of his/her name and likeness for advertising and promotional purposes without additional compensation in all media worldwide (except where prohibited by law). The sweepstakes is subject to all applicable federal, state and local laws and regulations. If for any reason the sweepstakes is not capable of running as planned, including due to an infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of this sweepstakes, Sponsor and its agents reserve the right, at their sole discretion, to modify, suspend or terminate the sweepstakes, and select the winner from all eligible entries received prior to the termination and/or to disqualify any individual who is responsible or who tampers with the entry process. This sweepstakes is governed by the laws of the State of New York, with venue in New York County, New York, and all claims must be resolved in the state or federal courts in New York County, New York.

Removal for future mailings

To have your name and address removed from Sponsor’s future mailings, please select the unsubscribe link in any email you receive from Sponsor. Sponsor will process your request within 60 days.

Winner’s name

For the name of the winner, email mail@amplify.com or send a stamped, self-addressed envelope to be postmarked within 15 days and received within 30 days of the relevant Drawing Date to: Amplify, Marketing Department, Winner’s Name, 55 Washington Street, Suite 800, Brooklyn, NY 11201.

Sponsor

Amplify Education, Inc., 55 Washington Street, Suite 800, Brooklyn, New York 11201.