Skip to content

Reporting a Vulnerability

We only accept vulnerability reports for these platforms:

VersionBranchWebsite active
Liveprod-currentfreecodecamp.org/learn
Betaprod-stagingfreecodecamp.dev/learn
VersionWebsite active
Englishfreecodecamp.org/news
World Languagesfreecodecamp.org/<language>/news
PlatformWebsite active
Androidhttps://play.google.com/store/apps/details?id=org.freecodecamp
iOShttps://apps.apple.com/us/app/freecodecamp/id1442777773
  • We self-host some platforms using Open Source software. Only report vulnerabilities in our specific setup and configuration, contact upstream projects for other issues.
  • Additionally, we may selectively accept reports for some freeCodeCamp GitHub repositories.

Follow these guidelines when testing and reporting vulnerabilities:

  • Ensure that you are using the latest, stable, and updated versions of the Operating System and Web Browser(s) available to you on your machine.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Perform testing only on our official platforms listed above.
  • Do not attempt to access or modify user data without permission other than your own. Stop immediately if you find sensitive user data.
  • Do not use automated tools that could cause service disruption or violate our terms of service.

Your report should include:

  • Clear and detailed steps to reproduce the vulnerability.
  • Impact description - what could an attacker do?
  • Evidence - screenshots, code, or examples.
  • Environment - browser, OS, configuration

Here are some examples of valid and invalid reports:

Valid:

  • Authentication bypass
  • SQL injection exposing user data
  • XSS affecting multiple users
  • Remote code execution vulnerabilities

Invalid:

  • SSL scanner warnings
  • Clickjacking on non-sensitive pages
  • Issues requiring local machine access
  • Vulnerabilities requiring admin privileges
  • Generic tool output without manual verification
  • SSL/DNS configuration warnings
  • Dependency alerts without proof of exploit
  • Subdomain enumeration lists

We treat low-effort reports as “beg bounties”. These are reports that don’t meet our quality standards or are not actionable.

  • Self-exploitation vulnerabilities like installing a malicious extension
  • Issues requiring extensive social engineering
  • Theoretical vulnerabilities without real impact
  • Problems only affecting outdated OS or browsers
  • Vulnerabilities in services we don’t control
  • Known upstream software issues
  • Regular bugs, Feature requests & Content violations
  • Physical access requirements

Email your report to possible-security-issue [at] freecodecamp.org. You can also send us a PGP-encrypted email using this public key or use this form.

We will acknowledge the report, check if it’s in scope and let you know if we need more information.

We will analyze the report and may ask for more details for investigation.

We will fix confirmed issues and coordinate disclosure timing with you

We will recognize valid reports in our Hall of Fame.

  • Acknowledgement: Within 48-72 hours
  • Initial Assessment: Within 5-7 business days
  • Updates: During investigation as needed
  • Disclosure: Within 90 days maximum

We don’t offer any bounties, but we maintain a Hall of Fame for researchers who submit high-effort and good-quality reports.