At Khan Academy, we're a small, non-profit team trying to give a free, world-
class education to anyone, anywhere.
We're committed to maintaining a safe website where student data is
appropriately protected. If you've discovered a security issue in Khan
Academy, we'd love to work with you. Please let us know about it and we'll fix
the issue as soon as we can.
- We're interested in technical vulnerabilities in any *.khanacademy.org website or in our official mobile apps (iOS , Google Play )
- Parts of our website and infrastructure are open source on GitHub
- If you need a Khan Academy account (or two) to test your vulnerability, create a new one; don't use another user's account
Notes & Exclusions
- Some parts of our site are hosted by third parties on subdomains (including life and crowdin ); we're less interested in these vulnerabilities unless they lead to a vulnerability in the main site
- Several of our internal services, including our mobile build server , deliberately have some public parts. This is intentional and we don't consider it a vulnerability unless you can use it to compromise the main site.
- We generally only consider spoofing an email that appears to be sent from khanacademy.org as an issue if you can point to specific settings (e.g. SPF records) that aren't configured correctly to prevent it; other reports are generally too client-dependent and difficult to reproduce to be actionable.
- Issues that only apply to browsers we do not support are generally lower-priority although we'll still accept more serious issues.
- Our Turkish language advocates run a site at http://www.khanacademy.org.tr/ -- this site is not officially run via Khan Academy and we are unable to resolve any issues with this site directly. If you report an issue with this site, we will attempt to forward the information appropriately and mark your report as informative.
- We are not currently planning to implement DNSSEC. In particular, this won't affect the majority of our users with clients that are not using DNSSEC, see for instance: https://bugs.chromium.org/p/chromium/issues/detail?id=50874#c22
- Please note that the
ka_session is not actually the session cookie we use for authentication; it's primarily for analytics purposes and is intentionally not marked as Secure.
- Many of our endpoints have very lenient or absent rate-limiting. This is because Khan Academy is used in many schools that are configured to have hundreds or thousands of computers behind one IP address. That means routes such as
/forgotpw have a very lenient rate limit, though it does exist. We take other steps to detect and mitigate from brute force attacks.
To be considered a valid vulnerability, you must be able to demonstrate a way
to negatively impact other users. Methods of changing your own experience -
including granting yourself energy points - are not considered security
Non-security-related issues can be reported to our public bug tracker,
Zendesk: https://khanacademy.zendesk.com .
We believe in recognizing the work of others. If your work helps us improve
the security of our website, we'd be happy to acknowledge your work in our
Hall of Fame and to make you the
proud owner of a Friendly Hacker
badge on Khan Academy.
This program crawled on the 2014-04-07 is sorted as bounty.