Reporting a Vulnerability
What We Accept Reports For
Section titled “What We Accept Reports For”We only accept vulnerability reports for these platforms:
Learning Platforms
Section titled “Learning Platforms”Version | Branch | Website active |
---|---|---|
Live | prod-current | freecodecamp.org/learn |
Beta | prod-staging | freecodecamp.dev/learn |
Publications
Section titled “Publications”Version | Website active |
---|---|
English | freecodecamp.org/news |
World Languages | freecodecamp.org/<language>/news |
Mobile Apps
Section titled “Mobile Apps”Platform | Website active |
---|---|
Android | https://play.google.com/store/apps/details?id=org.freecodecamp |
iOS | https://apps.apple.com/us/app/freecodecamp/id1442777773 |
Other Platforms & Self-Hosted Services
Section titled “Other Platforms & Self-Hosted Services”- We self-host some platforms using Open Source software. Only report vulnerabilities in our specific setup and configuration, contact upstream projects for other issues.
- Additionally, we may selectively accept reports for some freeCodeCamp GitHub repositories.
Research Guidelines
Section titled “Research Guidelines”Follow these guidelines when testing and reporting vulnerabilities:
- Ensure that you are using the latest, stable, and updated versions of the Operating System and Web Browser(s) available to you on your machine.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Perform testing only on our official platforms listed above.
- Do not attempt to access or modify user data without permission other than your own. Stop immediately if you find sensitive user data.
- Do not use automated tools that could cause service disruption or violate our terms of service.
Report Requirements
Section titled “Report Requirements”Your report should include:
- Clear and detailed steps to reproduce the vulnerability.
- Impact description - what could an attacker do?
- Evidence - screenshots, code, or examples.
- Environment - browser, OS, configuration
Here are some examples of valid and invalid reports:
Valid:
- Authentication bypass
- SQL injection exposing user data
- XSS affecting multiple users
- Remote code execution vulnerabilities
Invalid:
- SSL scanner warnings
- Clickjacking on non-sensitive pages
- Issues requiring local machine access
- Vulnerabilities requiring admin privileges
What We Don’t Accept
Section titled “What We Don’t Accept”Automated Reports & “Beg Bounties”
Section titled “Automated Reports & “Beg Bounties””- Generic tool output without manual verification
- SSL/DNS configuration warnings
- Dependency alerts without proof of exploit
- Subdomain enumeration lists
We treat low-effort reports as “beg bounties”. These are reports that don’t meet our quality standards or are not actionable.
Low-Impact Issues
Section titled “Low-Impact Issues”- Self-exploitation vulnerabilities like installing a malicious extension
- Issues requiring extensive social engineering
- Theoretical vulnerabilities without real impact
- Problems only affecting outdated OS or browsers
Third-Party & Non-Security Issues
Section titled “Third-Party & Non-Security Issues”- Vulnerabilities in services we don’t control
- Known upstream software issues
- Regular bugs, Feature requests & Content violations
- Physical access requirements
How to Report
Section titled “How to Report”Email your report to possible-security-issue [at] freecodecamp.org
. You can also send us a PGP-encrypted email using this public key or use this form.
We will acknowledge the report, check if it’s in scope and let you know if we need more information.
We will analyze the report and may ask for more details for investigation.
We will fix confirmed issues and coordinate disclosure timing with you
We will recognize valid reports in our Hall of Fame.
Timeline
Section titled “Timeline”- Acknowledgement: Within 48-72 hours
- Initial Assessment: Within 5-7 business days
- Updates: During investigation as needed
- Disclosure: Within 90 days maximum
Recognition
Section titled “Recognition”We don’t offer any bounties, but we maintain a Hall of Fame for researchers who submit high-effort and good-quality reports.