Security and privacy are top priorities at Coursera. We believe that no
technology is perfect and that working with skilled security researchers
across the globe is crucial in identifying weaknesses in our technology. If
you believe you've found a security bug in our service, we are happy to work
with you to resolve the issue promptly.
We consider security issues to be issues when you can perform one or more of
the following actions by exploiting a technical problem or misconfiguration on
the Coursera platform:
- Access data that you are otherwise not authorized to access normally as a learner (e.g. accessing other learners' grades or private forum posts).
- Affects another learner outside of normal interactions on the Coursera platform (e.g. causing scripts to run on another user's browser, changing grades of another user, etc...)
- Accessing Coursera's internal administrative control systems
Coordinated Disclosure Rules
- Please let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly correct the issue.
- Provide us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Refrain from leaking, manipulating, or destroying any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
- Please refrain from automated/scripted account creation.
The following activities are not part of the scope of this program:
- Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website (defined as the domains www.coursera.org __, class.coursera.org, accounts.coursera.org, and api.coursera.org) or our internal administrative tools.
- Denial of Service
- Standard user enumeration attacks
- Social engineering our employees, contractors, or users
- Attempts to access our offices or data centers
- Reports indicating a lack of rate-limiting on certain APIs
- Reports solely indicating a lack of a possible security defense such as certificate pinning or two-factor authentication.
- Reports indicating a lack of DMARC, DKIm or similar protection or identity verification for our email systems. Further posting of these reports will be closed as Spam.
We believe in recognizing the work of others. If your work helps us improve
the security of our service, we'd be happy to acknowledge your
contribution. Thank you for keeping Coursera safe!