Banner object (1)

Hack and Take the Cash !

751 bounties in database
Khan Academy logo

Khan Academy

At Khan Academy, we're a small, non-profit team trying to give a free, world- class education to anyone, anywhere.

We're committed to maintaining a safe website where student data is appropriately protected. If you've discovered a security issue in Khan Academy, we'd love to work with you. Please let us know about it and we'll fix the issue as soon as we can.


  • We're interested in technical vulnerabilities in any * website or in our official mobile apps (iOS __, Windows 8 __)
  • Our API __includes an OAuth flow __for authorizing access to a Khan Academy account
  • Our computer programming section __intentionally allows the execution of user-provided JavaScript, but execution is sandboxed to an iframe on a different domain (; running arbitrary JS within the iframe is not considered a vulnerability unless it leads to another attack
  • Parts of our website and infrastructure are open source on GitHub __
  • If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account

Notes & Exclusions

  • Some parts of our site are hosted by third parties on subdomains (including life __and crowdin __); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site
  • Several of our internal services, including our mobile build server __, deliberately have some public parts. This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.
  • We generally only consider spoofing an email that appears to be sent from as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.
  • Issues that only apply to browsers we do not support __are generally lower-priority although we'll still accept more serious issues.
  • Our Turkish language advocates run a site at __-- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.

To be considered a valid vulnerability, you must be able to demonstrate a way to negatively impact other users. Methods of changing your own experience - including granting yourself energy points - are not considered security issues.

Non-security-related issues can be reported to our public bug tracker, Zendesk: __.


We believe in recognizing the work of others. If your work helps us improve the security of our website, we'd be happy to acknowledge your work in our Hall of Fame and to make you the proud owner of a Friendly Hacker __badge on Khan Academy.

Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019