Reporting a Vulnerability

What We Accept Reports For

We only accept vulnerability reports for these platforms:

Learning Platforms

Version	Website active
Production	`freecodecamp.org/learn`
Staging	`freecodecamp.dev/learn`

Publications

Version	Website active
English	`freecodecamp.org/news`
World Languages	`freecodecamp.org/<language>/news`

Mobile Apps

Platform	Website active
Android	`https://play.google.com/store/apps/details?id=org.freecodecamp`
iOS	`https://apps.apple.com/us/app/freecodecamp/id1442777773`

Other Platforms & Self-Hosted Services

We self-host some platforms using Open Source software. Only report vulnerabilities in our specific setup and configuration, contact upstream projects for other issues.
Additionally, we may selectively accept reports for some freeCodeCamp GitHub repositories.

Research Guidelines

Follow these guidelines when testing and reporting vulnerabilities:

Rules

Ensure that you are using the latest, stable, and updated versions of the Operating System and Web Browser(s) available to you on your machine.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Perform testing only on our official platforms listed above.
Do not attempt to access or modify user data without permission other than your own. Stop immediately if you find sensitive user data.
Do not use automated tools that could cause service disruption or violate our terms of service.

Report Requirements

Your report should include:

Clear and detailed steps to reproduce the vulnerability.
Impact description - what could an attacker do?
Evidence - screenshots, code, or examples.
Environment - browser, OS, configuration

Here are some examples of valid and invalid reports:

Valid:

Authentication bypass
SQL injection exposing user data
XSS affecting multiple users
Remote code execution vulnerabilities

Invalid:

SSL scanner warnings
Clickjacking on non-sensitive pages
Issues requiring local machine access
Vulnerabilities requiring admin privileges

What We Don’t Accept

Automated Reports & “Beg Bounties”

Generic tool output without manual verification
SSL/DNS configuration warnings
Dependency alerts without proof of exploit
Subdomain enumeration lists

We treat low-effort reports as “beg bounties”. These are reports that don’t meet our quality standards or are not actionable.

Low-Impact Issues

Self-exploitation vulnerabilities like installing a malicious extension
Issues requiring extensive social engineering
Theoretical vulnerabilities without real impact
Problems only affecting outdated OS or browsers

Third-Party & Non-Security Issues

Vulnerabilities in services we don’t control
Known upstream software issues
Regular bugs, Feature requests & Content violations
Physical access requirements

How to Report

Email your report to possible-security-issue [at] freecodecamp.org. You can also send us a PGP-encrypted email using this public key or use this form.

We will acknowledge the report, check if it’s in scope and let you know if we need more information.

We will analyze the report and may ask for more details for investigation.

We will fix confirmed issues and coordinate disclosure timing with you

We will recognize valid reports in our Hall of Fame.

Timeline

Acknowledgement: Within 48-72 hours
Initial Assessment: Within 5-7 business days
Updates: During investigation as needed
Disclosure: Within 90 days maximum

Recognition

We don’t offer any bounties, but we maintain a Hall of Fame for researchers who submit high-effort and good-quality reports.