Report a Vulnerability

INTRODUCTION

At EduPlus Abroad (together with its subsidiaries and international affiliates, hereinafter "EduPlus Abroad," "us," "we," "our" or “the Company”), we are always looking to improve continuously, which directly translates into our information security program enabling the protection of our customer's data as a top priority. The EduPlus Abroad Security Team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability on our company website and services. EduPlus Abroad is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.

If you believe you have found a qualifying security vulnerability in the EduPlus Abroad product or website, please submit a report following the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.

POLICY GUIDELINES

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Please provide detailed reports with reproducible steps. If the report needs to be more detailed to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a reasonable faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

IN SCOPE

The scope of issues is limited to technical vulnerabilities in the EduPlus Abroad website or mobile apps. Please do not attempt to compromise the safety or privacy of our users (so please use test accounts), or the availability of EduPlus Abroad through DoS attacks or spam. We also request you to not use vulnerability testing tools that generate a significant volume of traffic.

OUT OF SCOPE VULNERABILITIES

When reporting vulnerabilities, please consider (1) the attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction

HOW TO REPORT A VULNERABILITY

Please help us by providing as much information as possible about the problem you have discovered. If you have not yet done so, please remember to review our rules and guidelines previously announced before submitting the information here.

Domains