Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
18/08/2015
Coursera logo
Thanks
Gift
Hall of Fame
Reward

In Scope

Scope Type Scope Name
web_application www.coursera.org

Coursera

Security and privacy are top priorities at Coursera. We believe that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology. If you believe you've found a security bug in our service, we are happy to work with you to resolve the issue promptly.

We consider security issues to be issues when you can perform one or more of the following actions by exploiting a technical problem or misconfiguration on the Coursera platform:

  • Access data that you are otherwise not authorized to access normally as a learner (e.g. accessing other learners' grades or private forum posts).
  • Affects another learner outside of normal interactions on the Coursera platform (e.g. causing scripts to run on another user's browser, changing grades of another user, etc...)
  • Accessing Coursera's internal administrative control systems

Coordinated Disclosure Rules

  • Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
  • Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Refrain from leaking, manipulating, or destroying any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
  • Please refrain from automated/scripted account creation.

Exclusions

The following activities are not part of the scope of this program:

  • Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website (defined as the domains www.coursera.org __, class.coursera.org, accounts.coursera.org, and api.coursera.org) or our internal administrative tools.
  • Denial of Service
  • Spamming
  • Standard user enumeration attacks
  • Social engineering our employees, contractors, or users
  • Attempts to access our offices or data centers
  • Reports indicating a lack of rate-limiting on certain APIs
  • Reports solely indicating a lack of a possible security defense such as certificate pinning or two-factor authentication.
  • Reports indicating a lack of DMARC, DKIm or similar protection or identity verification for our email systems. Further posting of these reports will be closed as Spam.

Thanks

We believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to acknowledge your contribution. Thank you for keeping Coursera safe!

FireBounty © 2015-2019

Legal notices