TL;DR

Do no harm. Respect users’ privacy. Research and disclose in good faith.

Udemy is a global marketplace for learning and instruction. By connecting students all over the world to the best instructors, Udemy is helping individuals reach their goals and pursue their dreams. Udemy has offerings for individuals, companies, and governments. The integrity of our customers’ data is extremely important to us, and our bug bounty program reflects that. Thank you for taking the time to help make Udemy a better place. We look forward to your reports.

Response Targets

Udemy will make the best effort to meet the following response targets for hackers participating in our program. Please note that we rely on HackerOne associates for initial triage:

• Time to first response (from report submit) - 3 business days

• Time to triage (from report submit) - 5 business days

• Time to bounty (from triage) - 30 business days

• Time to resolution (from triage) - 2 business days to several months based on the CVSS score

We'll keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

• Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Udemy or HackerOne employees) before public disclosure through HackerOne’s website. Please note that we don’t publicly disclose every vulnerability submitted via HackerOne.

Program Rules

• Please provide reproducible steps. If the report is not precise enough to reproduce the issue, it will not be eligible for a reward. Video-only PoCs will not be considered.

• As a researcher, you know best what is wrong with the code you attack, so we appreciate suggestions for how to fix it.

• Submit one vulnerability per report, unless you need to chain multiple vulnerabilities to have an impact.

• When duplicates occur, we only award the first report received that contains enough detail for us to fully reproduce the issue.

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Researchers may not, and are not authorized to engage in any activity that would be disruptive, damaging, or harmful to Udemy’s brand, its users, or their data. This includes social engineering (e.g. phishing), physical security, and denial of service attacks against users, employees, or Udemy as a whole.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or have explicit permission from the account holder to use. Please create a new account or team plan for your testing so as not to compromise the privacy of our users inadvertently.

• Do not leak, manipulate, or destroy any user data. If you uncover user personal data, please take the following actions: Stop investigating. Report this immediately to Udemy through the bug bounty program as soon as practically possible. Do not retain, transfer or disclose any of the personal data.

• Only reports submitted to this program and against assets in scope will be eligible for a monetary award.

• Minimize the mayhem. Do not use automated tools in a way that would seriously impact the performance of our servers or leave a mess behind.

• Previous bounty amounts are not considered a precedent for future bounty amounts.

In Scope

We are primarily interested in exploits that impact:

• Our website, www.udemy.com and Udemy Business subdomains such as yourcompany.udemy.com.

• Our iOS and Android mobile apps.

• Our systems which send email from udemy.com and udemymail.com.

Out of Scope Vulnerabilities

• Anything that’s very low on the CVSS scale.

• Clickjacking on pages with no sensitive actions.

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

• Attacks requiring MITM or physical access to a user's device or our data centers.

• Previously-known vulnerable libraries without a working proof of concept.

• Content downloading that is not covered by DRM.

• Content spoofing or HTML injection in places where we intentionally accept HTML.

• Exploits that do not impact our users’ data or the health of our service.

• Denial of Service exploits.

• Exploits that require significant social engineering.

• Missing best practices in Content Security Policy (CSP).

• Missing HttpOnly, Secure, etc. flags on cookies.

• Vulnerabilities that only affect users of browsers we no longer support.

• Issues that require incredibly unlikely user interaction.

• Software version disclosure, banner identification issues, minorly descriptive error messages, or minorly descriptive headers.

• Trivial enumeration of our users, courses, etc. in cases where we are exposing integer IDs.

• A course can be configured in a way that the course’s enrollment page is password-protected or invitation-only. Courses also exist in a state called "draft mode" before they are published. Anything that incorrectly assumes that these are truly private courses is out of scope. However, courses created as part of a UB organization are private to that organization; any violation of that would be considered in scope.

• In general, issues in software or hardware not under Udemy’s control.

Other Things Explicitly in Scope

• Non-trivial vectors for fraud (CVSS may not apply straightforwardly, so use None, Low, or High for the impact variable as appropriate to obtain a score).

• XSS and HTML injection in places where it’s clear we don’t mean to permit HTML.

• Anything specific to our use of Comply Exchange that results in a CVSS score of medium or higher.

Private Programs

Udemy may occasionally run a private program on HackerOne in addition to our public program. Researchers who have provided substantial value over a long period may be invited into that private program and given additional resources or access.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If a third party initiates legal action against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Udemy and our users safe. Happy hacking!