Vulnerability disclosure policy

GoSkills takes security seriously and will respond to verifiable security issues.

We welcome any suggestions to improve this policy. The policy is subject to change without notice.

Responsible disclosure

Vulnerability reports should be kept confidential, succinct, and include the issue type, URL(s), severity, and all steps required to reproduce the issue.

Reports can be emailed to security@goskills.com.

If you are the first to report a verifiable issue, GoSkills will publicly acknowledge you on this page. At this stage we are unable to offer bounties.

Any security research should avoid anything that may affect other users of GoSkills.

Domains in scope

All goskills.com subdomains are in scope.

Issues in scope

Most web security issues are in scope, e.g. XSS, CSRF, open redirects, etc.

The following are excluded:

• Missing cookie flags on non-session cookies or 3rd party cookies
• Social engineering
• Denial of service
• Weak TLS ciphers
• Email spoofing, SPF, DMARC & DKIM
• Brute force attacks
• Password policy improvements
• Hardening tips (CSP, SRI)
• Anti-spam or rate limit suggestions

Additionally, any issues with no/low impact or likelihood are excluded.

Vulnerability scanners

GoSkills does not allow any vulnerability scanners to be used against any GoSkills service unless explicitly requested by GoSkills.

The unapproved use of any vulnerability scanning tools may result in restrictions to your account and/or network without warning.

No beg bounties

Any reports that appear to be ‘beg bounties’ asking for payment in return for a disclosure will be ignored.