At Khan Academy, we're a small, non-profit team trying to give a free, world-
class education to anyone, anywhere.
We're committed to maintaining a safe website where student data is
appropriately protected. If you've discovered a security issue in Khan
Academy, we'd love to work with you. Please let us know about it and we'll fix
the issue as soon as we can.
- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps (iOS __, Windows 8 __)
- Our API __includes an OAuth flow __for authorizing access to a Khan Academy account
- Parts of our website and infrastructure are open source on GitHub __
- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account
Notes & Exclusions
- Some parts of our site are hosted by third parties on subdomains (including life __and crowdin __); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site
- Several of our internal services, including our mobile build server __, deliberately have some public parts. This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.
- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.
- Issues that only apply to browsers we do not support __are generally lower-priority although we'll still accept more serious issues.
- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ __-- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.
To be considered a valid vulnerability, you must be able to demonstrate a way
to negatively impact other users. Methods of changing your own experience -
including granting yourself energy points - are not considered security
Non-security-related issues can be reported to our public bug tracker,
Zendesk: https://khanacademy.zendesk.com __.
We believe in recognizing the work of others. If your work helps us improve
the security of our website, we'd be happy to acknowledge your work in our
Hall of Fame and to make you the
proud owner of a Friendly Hacker
__badge on Khan Academy.
Hall of Fame