Responsible Disclosure Policy | Layers 🔒
Responsible Disclosure Policy
Purpose
This Responsible Disclosure Policy outlines the guidelines for security researchers to ethically and responsibly report potential security vulnerabilities to Layers Education. Our commitment is to evaluate all legitimate reports submitted through authorized channels and to continuously strengthen the security of our systems and data to protect our users and services.
Scope
This policy applies to potential security vulnerabilities found within the following assets directly owned, operated, and maintained by Layers Education:
In-Scope Items
Web applications and services hosted under *.layers.education and *.layers.digital (e.g., layers.education, app.layers.education)
Official integrations with third-party systems maintained by Layers Education.
Official mobile applications published by Layers Education on official app stores.
Public-facing APIs and endpoints explicitly documented and published by Layers Education.
Infrastructure and services directly controlled by Layers Education.
Out-of-Scope Items
The following are explicitly out of scope and should not be tested:
Any third-party applications, services, or websites not directly owned or controlled by Layers Education.
Physical access attempts to Layers Education facilities or equipment.
Social engineering (e.g., phishing, vishing, smishing) against Layers Education employees, contractors, or users.
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
Any activities that could lead to the destruction, alteration, or corruption of data.
Testing on any systems or services that are not explicitly listed as in-scope.
Vulnerabilities that require physical access to a user's device.
Spamming, email bombing, or any form of unsolicited messaging.
Automated scanning tools without manual verification of findings.
Disclosure of information obtained through unauthorized access.
How to Report
To report a potential security vulnerability, please send a detailed email to our dedicated security team at:
security@layers.education
Your report should include, at a minimum, the following information:
A clear and concise description of the vulnerability.
Detailed steps to reproduce the issue, including URLs, parameters, and any specific configurations.
Technical evidence (e.g., screenshots, HTTP request/response headers, proof-of-concept code) that demonstrates the vulnerability. Please ensure no sensitive data is included in your evidence.
The potential impact of the vulnerability.
Any tools or techniques used during your research.
While incomplete reports may still be analyzed, providing comprehensive details will significantly aid our investigation and response time.
Company Commitments
Upon receiving a legitimate vulnerability report that adheres to this policy, Layers Education commits to:
Acknowledging receipt of your report in a timely manner.
Diligently investigating and validating the reported vulnerability.
Treating all researchers with respect and professionalism.
Not pursuing legal action against researchers who comply fully with this policy and act in good faith.
Maintaining transparent communication during the validation and remediation process.
Notifying you once the vulnerability has been remediated, if confirmed.
Important Note: Layers Education does not currently operate a Bug Bounty Program and does not offer financial rewards, gifts, or compensation for vulnerability reports, unless explicitly announced through official channels in the future.
Researcher Guidelines
To ensure your research is conducted ethically and responsibly, and to qualify for our legal safe harbor, researchers must adhere to the following guidelines:
Comply with all applicable laws and regulations.
Use non-intrusive and non-destructive testing methods.
Avoid any testing that could disrupt or degrade our services or impact user experience.
Never access, modify, delete, copy, or share any personal, confidential, or sensitive data.
Never exploit a vulnerability beyond what is necessary to demonstrate its existence.
Never disclose the vulnerability publicly before it has been remediated by Layers Education and without explicit written authorization from us.
Never request payment, reward, or any form of compensation in exchange for your report.
Any violation of these guidelines may result in the removal of legal safe harbor protection.
Prohibited Activities
The following activities are strictly prohibited and will be considered a violation of this policy:
Performing Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
Engaging in social engineering (e.g., phishing, vishing, smishing) against any Layers Education personnel or users.
Attempting to gain physical access to Layers Education facilities or equipment.
Destroying, corrupting, or altering any data.
Accessing or attempting to access data that does not belong to you.
Using automated tools that generate significant traffic or could impact service availability.
Extortion, blackmail, or any attempt to demand payment or compensation for a vulnerability report.
Publicly disclosing any vulnerability without prior written consent from Layers Education.
Non-Reward Statement
Layers Education does not currently offer financial rewards, gifts, or any form of compensation for vulnerability reports. All submissions are considered voluntary contributions to enhancing our security posture. Should Layers Education decide to launch a Bug Bounty Program in the future, it will be formally announced on our official website and through designated channels.
Disclosure Process
The typical process for a vulnerability report is as follows:
Submission: Researcher submits a detailed report to security@layers.education.
Acknowledgment: Layers Education acknowledges receipt of the report within [e.g., 3-5 business days].
Validation: Our security team investigates the reported vulnerability to confirm its existence and impact.
Remediation: If confirmed, Layers Education prioritizes and works to remediate the vulnerability.
Notification: Once the vulnerability is remediated, Layers Education may notify the researcher (if requested and appropriate).
Public Disclosure: Public disclosure of the vulnerability is only permitted after remediation and with explicit written consent from Layers Education.
Legal Safe Harbor
Provided you comply with this Responsible Disclosure Policy, Layers Education will not initiate legal action against you for good-faith security research. This safe harbor applies only to activities conducted in accordance with this policy. Any actions that violate this policy, or any applicable laws, will void this safe harbor and may result in legal consequences.
Changes to this Policy
We reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.
Responsible Disclosure Policy | Layers 🔒
Purpose
This Responsible Disclosure Policy outlines the guidelines for security researchers to ethically and responsibly report potential security vulnerabilities to Layers Education. Our commitment is to evaluate all legitimate reports submitted through authorized channels and to continuously strengthen the security of our systems and data to protect our users and services.
Scope
This policy applies to potential security vulnerabilities found within the following assets directly owned, operated, and maintained by Layers Education:
In-Scope Items
Web applications and services hosted under *.layers.education and *.layers.digital (e.g., layers.education, app.layers.education)
Official integrations with third-party systems maintained by Layers Education.
Official mobile applications published by Layers Education on official app stores.
Public-facing APIs and endpoints explicitly documented and published by Layers Education.
Infrastructure and services directly controlled by Layers Education.
Out-of-Scope Items
The following are explicitly out of scope and should not be tested:
Any third-party applications, services, or websites not directly owned or controlled by Layers Education.
Physical access attempts to Layers Education facilities or equipment.
Social engineering (e.g., phishing, vishing, smishing) against Layers Education employees, contractors, or users.
Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
Any activities that could lead to the destruction, alteration, or corruption of data.
Testing on any systems or services that are not explicitly listed as in-scope.
Vulnerabilities that require physical access to a user's device.
Spamming, email bombing, or any form of unsolicited messaging.
Automated scanning tools without manual verification of findings.
Disclosure of information obtained through unauthorized access.
How to Report
To report a potential security vulnerability, please send a detailed email to our dedicated security team at:
security@layers.education
Your report should include, at a minimum, the following information:
A clear and concise description of the vulnerability.
Detailed steps to reproduce the issue, including URLs, parameters, and any specific configurations.
Technical evidence (e.g., screenshots, HTTP request/response headers, proof-of-concept code) that demonstrates the vulnerability. Please ensure no sensitive data is included in your evidence.
The potential impact of the vulnerability.
Any tools or techniques used during your research.
While incomplete reports may still be analyzed, providing comprehensive details will significantly aid our investigation and response time.
Company Commitments
Upon receiving a legitimate vulnerability report that adheres to this policy, Layers Education commits to:
Acknowledging receipt of your report in a timely manner.
Diligently investigating and validating the reported vulnerability.
Treating all researchers with respect and professionalism.
Not pursuing legal action against researchers who comply fully with this policy and act in good faith.
Maintaining transparent communication during the validation and remediation process.
Notifying you once the vulnerability has been remediated, if confirmed.
Important Note: Layers Education does not currently operate a Bug Bounty Program and does not offer financial rewards, gifts, or compensation for vulnerability reports, unless explicitly announced through official channels in the future.
Researcher Guidelines
To ensure your research is conducted ethically and responsibly, and to qualify for our legal safe harbor, researchers must adhere to the following guidelines:
Comply with all applicable laws and regulations.
Use non-intrusive and non-destructive testing methods.
Avoid any testing that could disrupt or degrade our services or impact user experience.
Never access, modify, delete, copy, or share any personal, confidential, or sensitive data.
Never exploit a vulnerability beyond what is necessary to demonstrate its existence.
Never disclose the vulnerability publicly before it has been remediated by Layers Education and without explicit written authorization from us.
Never request payment, reward, or any form of compensation in exchange for your report.
Any violation of these guidelines may result in the removal of legal safe harbor protection.
Prohibited Activities
The following activities are strictly prohibited and will be considered a violation of this policy:
Performing Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
Engaging in social engineering (e.g., phishing, vishing, smishing) against any Layers Education personnel or users.
Attempting to gain physical access to Layers Education facilities or equipment.
Destroying, corrupting, or altering any data.
Accessing or attempting to access data that does not belong to you.
Using automated tools that generate significant traffic or could impact service availability.
Extortion, blackmail, or any attempt to demand payment or compensation for a vulnerability report.
Publicly disclosing any vulnerability without prior written consent from Layers Education.
Non-Reward Statement
Layers Education does not currently offer financial rewards, gifts, or any form of compensation for vulnerability reports. All submissions are considered voluntary contributions to enhancing our security posture. Should Layers Education decide to launch a Bug Bounty Program in the future, it will be formally announced on our official website and through designated channels.
Disclosure Process
The typical process for a vulnerability report is as follows:
Submission: Researcher submits a detailed report to security@layers.education.
Acknowledgment: Layers Education acknowledges receipt of the report within [e.g., 3-5 business days].
Validation: Our security team investigates the reported vulnerability to confirm its existence and impact.
Remediation: If confirmed, Layers Education prioritizes and works to remediate the vulnerability.
Notification: Once the vulnerability is remediated, Layers Education may notify the researcher (if requested and appropriate).
Public Disclosure: Public disclosure of the vulnerability is only permitted after remediation and with explicit written consent from Layers Education.
Legal Safe Harbor
Provided you comply with this Responsible Disclosure Policy, Layers Education will not initiate legal action against you for good-faith security research. This safe harbor applies only to activities conducted in accordance with this policy. Any actions that violate this policy, or any applicable laws, will void this safe harbor and may result in legal consequences.
Changes to this Policy
We reserve the right to make changes to this Policy at any time by publishing a new policy and amending the date of last update. Vulnerabilities disclosed prior to any update of this Policy will remain subject to the then-current policy in effect.