Report a vulnerability
Amplify currently participates in a private bug bounty program through HackerOne. Please report any vulnerability findings through this submission form to be reviewed for next steps. If you have any questions, please contact us at vulnerability@amplify.com.
Vulnerability Disclosure Policy
As a provider of technology solutions to schools, Amplify’s commitment to data privacy and security is essential to our organization. Amplify demonstrates that commitment in part through the physical, technical, and administrative safeguards we maintain to protect student data and other sensitive information entrusted to our care.
Amplify looks forward to working with the security community to find security vulnerabilities and support our efforts to keep our data and systems safe and secure.
Before reporting a vulnerability, please read our disclosure policy, program terms, and other reporting rules and guidelines set out below.
General Rules
- We appreciate reports on any Amplify-owned asset, but please note that only vulnerabilities on in-scope assets are eligible for bounty. You will have access to the description of in-scope program upon accepting an invitation to the program.
- Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are subject to the discretion of Amplify.
- Consistent with HackerOne standard program terms, we reserve the right to cancel or modify this program without notice at any time.
- Amplify may, in its sole discretion, remove you from the program or disqualify you if you breach this policy or fail to comply with any of the program’s terms.
- You are not required to sign up for HackerOne in order to report a vulnerability or receive updates. However, we recommend signing up if you’d like to receive an invite to our private program, view additional details for our in-scope assets and access additional test credentials.
Disclosure Policy
- Follow HackerOne’s disclosure guidelines.
- Public disclosure or disclosure to other third parties without the explicit permission of Amplify is prohibited.
Vulnerability Submission Rules & Guidelines
- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- In some cases, you may not have all of the context information to assess the impact of a vulnerability. If you’re unsure of the direct impact but are reasonably certain that you have identified a vulnerability, we encourage you to submit a detailed report and state the open questions on impact. If the report is detailed but ineligible, we will generally allow self-closure.
- Provide timely responses to any follow-up questions and requests for additional information.
- When we receive duplicate submissions for the same vulnerability, we only award the first report that was received, provided that it can be fully reproduced.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Avoid destruction of data and interruption or degradation of our service.
- Only interact with test accounts that you created or that we provided.
- Do not contact Amplify’s customer support to submit a vulnerability report.
- Please do not submit videos unless we explicitly request one.
- Do not access, download, or share data you encounter in your testing.
- If during the course of testing you encounter any customer data outside of your test accounts (including student or teacher names, login info, assessment data, activity data, and student work), please cease testing immediately and report what you have found.Do not include any text, screenshots, etc. with customer data in the report.
Requirements
- You are not eligible for a reward if you are employed by Amplify or any of its affiliates or are an immediate family member of a person employed by Amplify or any of its affiliates.
- Your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes.
- You may not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to conducting your tests.
- You may not compromise the privacy or safety of our customer and the operation of our services;
- You may not cause harm to Amplify, our customers, or others;
- You must follow the policy guidelines to responsibly disclose vulnerabilities to Amplify.
Security Team Response Targets
- We will do our best to respond to your submission within these timelines:
- Time to first response (from report submit) – 3 business days
- Time to triage (from report submit) – 3 business days
- Time to bounty (from triage) – 7 business days
- We will do our best to keep you updated as we work to fix the bug you submitted.
- We will not take legal action against you if you play by the rules.
- We’ll try to keep you informed about our progress throughout the process and notify you once the vulnerability has been resolved.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF.
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Self XSS.
- XSRF that requires the knowledge of a secret.
- Please refer to any noted Out of Scope areas listed under the program assets.
- Automated tools that could generate significant traffic or possibly impair the functioning of our services.
- Denial-of-service (DoS) attacks. Automated scanning tests should be kept to 10 requests per second or less.
Confidentiality
Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.
If you have any questions about Amplify’s security program, please send an email to vulnerability@amplify.com.
Thank you for helping keep Amplify and our users safe!