Vulnerability disclosure policy
GoSkills takes security seriously and will respond to verifiable security issues.
We welcome any suggestions to improve this policy. The policy is subject to change without notice.
Responsible disclosure
Vulnerability reports should be kept confidential, succinct, and include the issue type, URL(s), severity, and all steps required to reproduce the issue.
Reports can be emailed to security@goskills.com.
If you are the first to report a verifiable issue, GoSkills will publicly acknowledge you on this page. At this stage we are unable to offer bounties.
Any security research should avoid anything that may affect other users of GoSkills.
Domains in scope
All goskills.com subdomains are in scope.
Issues in scope
Most web security issues are in scope, e.g. XSS, CSRF, open redirects, etc.
The following are excluded:
- Missing cookie flags on non-session cookies or 3rd party cookies
- Social engineering
- Denial of service
- Weak TLS ciphers
- Email spoofing, SPF, DMARC & DKIM
- Brute force attacks
- Password policy improvements
- Hardening tips (CSP, SRI)
- Anti-spam or rate limit suggestions
Additionally, any issues with no/low impact or likelihood are excluded.
Vulnerability scanners
GoSkills does not allow any vulnerability scanners to be used against any GoSkills service unless explicitly requested by GoSkills.
The unapproved use of any vulnerability scanning tools may result in restrictions to your account and/or network without warning.
No beg bounties
Any reports that appear to be ‘beg bounties’ asking for payment in return for a disclosure will be ignored.